Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fe17e03a00c4aee4…

MALICIOUS

RTF / .DOC

11.7 KB
MD5: d3fe6624b0f044affcbd0ef54f646ec8 SHA-1: 2df87a6549c40d6492548e91180c417849557b8d SHA-256: fe17e03a00c4aee4bb8daa8507c1b9bc88a28f3f7c53f10f064a8dbbe7b3dc96
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The file is an RTF document containing OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated automatically, which is a common technique for exploiting vulnerabilities in document processing applications. While no specific exploit or payload is directly visible in the provided snippets, the presence of these heuristics strongly implies an attempt to leverage an Office vulnerability to execute arbitrary code, likely for downloading a second-stage payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a67.bin
fce1db185f148084d4bf3a23c0fa7f4ee9d21600be3567a9e42c0b88d7473625		 rtf-objdata-decoded RTF \objdata at offset 0x1A67 1593 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.