Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 dc2ef16351225077…

MALICIOUS

RTF / .DOC

69.8 KB
MD5: 1ae4dd118f84facbd83a152ee858b896 SHA-1: aaf21e42f23d84c5cfa5fe85bbdc38fe35857962 SHA-256: dc2ef16351225077c9239f1fe27e04c822eb09a0c9a4d38ffdb88d68a241780d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1559.001 Component Object Model Hijacking

The RTF document contains embedded OLE objects that are triggered for activation via \objupdate. This indicates an attempt to exploit OLE functionality to execute embedded code. While no specific script was extracted, the heuristics strongly suggest a malicious OLE object designed to download and execute a second-stage payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000019e3.bin
95e69548bf79e26290105d03cf04248ba5f7e12326272d9e997fcbcc2bab2f2d		 rtf-objdata-decoded RTF \objdata at offset 0x19E3 3658 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.