Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 1d6f88bb47dffacb…

MALICIOUS

RTF / .DOC

3.5 KB
MD5: e1c9dd305d732c887896101ac9a15955 SHA-1: cd2f67acf7b20c7c2267adde410a23029d40cab8 SHA-256: 1d6f88bb47dffacbcab3b6a8ef8fc3a919974e041926d3f7addd89e33f5d55ef
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains embedded OLE object data and triggers an objupdate event, indicating an attempt to exploit vulnerabilities related to OLE object activation. This suggests the file is designed to execute arbitrary code upon opening, likely as a downloader for further malicious activity. No specific family could be identified due to the lack of script content or clear indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000042.bin
7cee3e05e4fad0bc36c8e38d1411ba93cc21418b857d87653cba7dca095d1c10		 rtf-objdata-decoded RTF \objdata at offset 0x42 1647 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.