Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 dff5d20105b40ae8…

MALICIOUS

RTF / .DOC

235.9 KB
MD5: cfe92d4d6c403502c8057367c2f25b5d SHA-1: 6aff2a0a3516ce3a4e4a00b4ff117e44603b2dd8 SHA-256: dff5d20105b40ae8ab28e601b2e93f4d611dcf4a6ae844dc6fe37cdc0f0e31c1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA and RTF_OLE10NATIVE_STREAM heuristics. The RTF_OBJUPDATE heuristic suggests that these objects are designed to be automatically activated upon opening the document. This mechanism is commonly used to execute embedded malicious code or download further stages of an attack. No specific family could be identified due to the lack of script content or further indicators.

Heuristics 3

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c74.bin
72e6c7e873c2f51d3cbe882a781a676643a06d16e617e2fa894d8e942f12ea41		 rtf-objdata-decoded RTF \objdata at offset 0x1C74 4176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.