Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e16055abf4d21d8f…

MALICIOUS

RTF / .DOC

3.3 KB
MD5: e00e875a82100e5b2f0f885ad53841b2 SHA-1: bbfb9feccf6824326d51dae86698fbddc83fa27d SHA-256: e16055abf4d21d8ff013e00dc41ed72e1e6824c03ace721fb76805e1be0d1609
80 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The RTF document contains embedded OLE object data and utilizes the \objupdate directive, which is a strong indicator of an attempt to automatically execute embedded content upon opening. This technique is commonly used to deliver secondary payloads. No specific family could be identified from the available heuristics.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000035.bin
3c05433528f616728e17d6bfaf584722cb34feaeeaa94051979c57a7fce5a917		 rtf-objdata-decoded RTF \objdata at offset 0x35 1322 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.