Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0da037449078eb28…

MALICIOUS

RTF / .DOC

11.8 KB
MD5: e57459af29551726024c5248739a1971 SHA-1: 89494d2a840d5681b84a01767d42980eb3530003 SHA-256: 0da037449078eb28dffcd95733769019ee21831ac82b12d845fb051be22b33ec
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and a \objupdate directive, which are indicative of an attempt to exploit OLE object activation for malicious purposes. The presence of these elements suggests the file is designed to trigger code execution upon opening, likely as a spearphishing attachment. The exact payload or exploit mechanism is not detailed in the provided evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c68.bin
e6d611562a76f6e3b3a29243ce1d6187ece7451c62bedfd1c6edf8ccc1260c12		 rtf-objdata-decoded RTF \objdata at offset 0x1C68 1833 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.