Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ef80e487d306c806…

MALICIOUS

RTF / .DOC

17.9 KB
MD5: 1ed604d8b10b83e65fab17a17b698ba8 SHA-1: 5cbc1ad4d781e0803c394c3f57e928eda00e372a SHA-256: ef80e487d306c806975f367d9a20f83c0e0431eaddc2cddd290f1178ae34ce57
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and triggers heuristics for automatic OLE activation and update, indicating an attempt to exploit vulnerabilities associated with embedded objects. The presence of these indicators suggests a malicious intent to execute code upon opening. While no specific malware family is identified, the attack pattern points towards leveraging OLE vulnerabilities for initial execution.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001728.bin
a290fcaea3a2b93cdc7c824dae7b6687ec8a9d0eff7264785f222da605b91444		 rtf-objdata-decoded RTF \objdata at offset 0x1728 1642 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.