Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 1dda2332d5fafd9a…

MALICIOUS

RTF / .DOC

16.0 KB
MD5: c295065ea2fe52108c9376c57921c71c SHA-1: e5df64434a9dba905efa73d84da9fdd99d45c49f SHA-256: 1dda2332d5fafd9ac5b13d221c1689c3535983aa9dbecca7a1bbff1468c45597
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains embedded OLE object data and uses an \objupdate directive to force activation. This strongly suggests the document is designed to exploit vulnerabilities or trick the user into executing embedded content. While no specific payload or URL was extracted, the heuristics indicate a malicious intent to leverage OLE objects for payload delivery. The document body is heavily obfuscated and unreadable, providing no further clues.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000176e.bin
1ca2cc332c606c12da3fdc7d78da2e94474bc9d8cb8885fa0f5496c14dced66e		 rtf-objdata-decoded RTF \objdata at offset 0x176E 2039 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.