Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 caa3036b42a6d9a0…

MALICIOUS

RTF / .DOC

1.90 MB Created: 2019-09-17 13:59:00
MD5: 06b8ac11fe82be792a08494d85878d84 SHA-1: 8df993e9976a6e2ff23a7fbe83bebf0b35e79c95 SHA-256: caa3036b42a6d9a0e0a151840509d62c2042ee7c99434a3790bdc98cfe25abdd
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects, and specifically uses \objupdate to force OLE activation, indicating an attempt to execute embedded code. While no specific malicious script or payload was directly extracted, the heuristics strongly suggest a vulnerability exploitation or malicious object embedding. The document body is heavily obfuscated and does not provide clear intent.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{\1\L\L\L\L\L\L\L\L\L

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off001d0f0b.bin
85c91e4eb3f3f4e8a17637a6bfa3d733a18bc43793ca8123d76ca93ac2a512bc		 rtf-objdata-decoded RTF \objdata at offset 0x1D0F0B 3732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.