Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 db1b860e9244cb53…

MALICIOUS

RTF / .DOC

1.04 MB Created: 2019-06-26 01:37:00
MD5: 792b71e2a33ccb814f2ff9184302fd72 SHA-1: 2efb14a684c1eb756148c2ec49340fb4c7d9113c SHA-256: db1b860e9244cb53d53b7b225481566577573e9b9b460680b4a7d753c55adaa5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains numerous OLE objects with excessive hex-encoded data, indicating a hidden payload. The \objupdate directive forces OLE activation, suggesting the embedded objects are designed to execute malicious code. No scripts were extracted, but the structure strongly implies a downloader or dropper functionality.

Heuristics 6

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1003KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 22 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 22

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003015.bin
b3120ac056fdc36627a94ccbaf86dab6ec35ca375eaa13dd7eaf9e7b969c4865		 rtf-objdata-decoded RTF \objdata at offset 0x3015 17467 bytes
objdata_01_off0000e2af.bin
0c14d3d702d0c0c6bd9214a538d56cb562b80bf8648384309d6cea2c321e9eba		 rtf-objdata-decoded RTF \objdata at offset 0xE2AF 17467 bytes
objdata_02_off0001a63b.bin
95716726db0e8fb90c761e4d0c082d6ef0cd99ccc145349ae2f31b81dff8f3f0		 rtf-objdata-decoded RTF \objdata at offset 0x1A63B 17467 bytes
objdata_03_off000258d5.bin
c4262c94593b14aafdc7a9524b5aa49359be88a4cfee89d84119c5381e84cb33		 rtf-objdata-decoded RTF \objdata at offset 0x258D5 17467 bytes
objdata_04_off00031d3f.bin
16d70169eef3d97e7834f635c93180f0a0f04357ea0fcda5228b872d45a1e23b		 rtf-objdata-decoded RTF \objdata at offset 0x31D3F 17467 bytes
objdata_05_off0003cfd7.bin
0f727610f732ad2097d8266631a1707083f0a5ddbb50ae240c344ebe48e1277f		 rtf-objdata-decoded RTF \objdata at offset 0x3CFD7 17467 bytes
objdata_06_off00048fdb.bin
9a27998c676d07e0cb452422ca256a2961c65d32813c448a0fc1ee8f99760840		 rtf-objdata-decoded RTF \objdata at offset 0x48FDB 17467 bytes
objdata_07_off00054275.bin
48d566c91b0de22c3da0e8329c9e855c2c910a735e74fab06fdf7bd10b2f54d4		 rtf-objdata-decoded RTF \objdata at offset 0x54275 17467 bytes
objdata_08_off00060279.bin
d8ec7c952e725052d910704871dad03fedd331a69b5faeae0dcd87efa2079e8e		 rtf-objdata-decoded RTF \objdata at offset 0x60279 17467 bytes
objdata_09_off0006b513.bin
c02a5bc927624f4d4608f8a07eba2cc6b233e4c295cb1ef58b16772685e5af3f		 rtf-objdata-decoded RTF \objdata at offset 0x6B513 17467 bytes
objdata_10_off00077513.bin
57e894bb0b5cf7c4d1294e3bef9133b29460cb266b9317eaa10a66ce4c5890b0		 rtf-objdata-decoded RTF \objdata at offset 0x77513 17467 bytes
objdata_11_off000827ad.bin
b59fefc043663903ba96efd5c40d0ff7c0b7c5c589c4b2f4d23a0eda4b7df079		 rtf-objdata-decoded RTF \objdata at offset 0x827AD 17467 bytes
objdata_12_off0008e7ad.bin
145f539fcccfcf57a487c8af0a09b1fa6c60e7224485152b09f8fa645efad88a		 rtf-objdata-decoded RTF \objdata at offset 0x8E7AD 17467 bytes
objdata_13_off00099a47.bin
51e8705be64485139b631d0a962b8704f94df811ed86ca715b688c61f517f18d		 rtf-objdata-decoded RTF \objdata at offset 0x99A47 17467 bytes
objdata_14_off000a5a4a.bin
d66b899ccef31829c0e162f53c49987a3984666b67c3a7740e724627724ff432		 rtf-objdata-decoded RTF \objdata at offset 0xA5A4A 17467 bytes
objdata_15_off000b0ce4.bin
c38f8a5aad031b0466f468c958ad8b7cb35eeb9484dae289b6968547b249927f		 rtf-objdata-decoded RTF \objdata at offset 0xB0CE4 17467 bytes
objdata_16_off000bcce6.bin
0d798757147665830023c157aa53aa12902c5b42be2b180637ad272d94632642		 rtf-objdata-decoded RTF \objdata at offset 0xBCCE6 17467 bytes
objdata_17_off000c7f80.bin
0cc6c091638d0d1737c5b7eac115d73c1ef31c2f3da93e7e32ad0f4180fa8dab		 rtf-objdata-decoded RTF \objdata at offset 0xC7F80 17467 bytes
objdata_18_off000d3f83.bin
8ed24f74206b025b792ced7458886dd0d0136500022d12435e15fc49f9cf412b		 rtf-objdata-decoded RTF \objdata at offset 0xD3F83 17467 bytes
objdata_19_off000df21d.bin
189b61b349ec95f16b18170c10a94159595f7c7b2c8499de4048938d649e8005		 rtf-objdata-decoded RTF \objdata at offset 0xDF21D 17467 bytes
objdata_20_off000eb1ff.bin
a97227188eb06517a769d3b212049cd864b1d08dbe947bfbd90efaa7b1b85e07		 rtf-objdata-decoded RTF \objdata at offset 0xEB1FF 17467 bytes
objdata_21_off000f6477.bin
2e17591883c413a24f89cb2e0990ca9cd5b6ec39d6206bb0d72947f0dadd6c8e		 rtf-objdata-decoded RTF \objdata at offset 0xF6477 17467 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.