Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c9e9415e093d9d1f…

MALICIOUS

RTF / .DOC

3.6 KB
MD5: acf078c1d6463be0c67981e1d4b60e20 SHA-1: c43cad778983c418f0fdad406121c7f4156c3a82 SHA-256: c9e9415e093d9d1ff9d60ea442e94a0fff29c511e888401008afb9047043ced5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF document contains embedded OLE object data, which is triggered for activation by \objupdate. This indicates an attempt to exploit a vulnerability, likely leading to arbitrary code execution. The heuristics strongly suggest a malicious RTF file designed to exploit OLE object handling, commonly used for initial access via spearphishing.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000074.bin
0e8885db9e1e2417051e46a6ae25403709b03296b6ef53437ae83ed7ca9f658c		 rtf-objdata-decoded RTF \objdata at offset 0x74 1685 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.