Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f62343b2c8c5c00f…

MALICIOUS

RTF / .DOC

2.35 MB Created: 2019-09-17 13:59:00
MD5: 5c62fe292fe653e642601164f283754e SHA-1: fcff0d5b73aac9f48ed5eed436cb183e80b38f51 SHA-256: f62343b2c8c5c00f0b7e98a2941d87745a116d3a77f831de1edf4e7687df2e51
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests the document is designed to exploit OLE object vulnerabilities to execute arbitrary code. No specific malware family could be identified, and the document body was truncated, limiting further analysis of the exact payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2{\2\N\N\N\N

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0024e6d7.bin
270f94642d7518502a3ce5960f793d65e5c7b39cf8daf481981154aad96b46f2		 rtf-objdata-decoded RTF \objdata at offset 0x24E6D7 1414 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.