Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d3f0942d64ef61c0…

MALICIOUS

RTF / .DOC

270.7 KB
MD5: bbcbecd2b756d90b3f3a04c0c68e0b52 SHA-1: 62d74956cc501daf24762424c175ab7b124be2a7 SHA-256: d3f0942d64ef61c0af53023853b0cbd2e9ade287773e801e3fd82738f090db9b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit embedded objects. The presence of RTF_OBJDATA and RTF_OLE10NATIVE_STREAM heuristics strongly suggests a vulnerability exploitation. While no specific script was extracted, the heuristics point towards a malicious RTF document designed to deliver a payload via OLE object manipulation.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018cc.bin
c3425417a5726d80bb878fe3df4241fe909055c7253197f07b04e048e221f00c		 rtf-objdata-decoded RTF \objdata at offset 0x18CC 4679 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.