Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c94a6a2d60457567…

MALICIOUS

RTF / .DOC

1.86 MB Created: 2019-09-17 13:59:00
MD5: 21678bd2f7f31e56e71e87937e6323d5 SHA-1: 084e8b3f3389bb43b01a656efbb850efe2668e8a SHA-256: c94a6a2d6045756781ffe30ef9c6ec89ac8bfbee2803b8bdcd198d10723fd6ca
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects, with one specifically triggered by \objupdate, indicating an attempt to execute embedded content. The presence of RTF_OBJDATA and RTF_OBJEMB heuristics further supports this. While no scripts were extracted, the structure suggests a malicious OLE object is embedded, likely to exploit a vulnerability or deliver a payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{\8\S\S

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off001bcd4d.bin
7ccc9b033eacba9286def681aef246bcc65ef31c75c739745ff9cd351728a670		 rtf-objdata-decoded RTF \objdata at offset 0x1BCD4D 1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.