Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2d7d1f0c8f698e1d…

MALICIOUS

RTF / .DOC

76.8 KB
MD5: 010bc1cb93befce3bb087442346db71a SHA-1: 7ded2ffecda81cc84baf9e7fa796a1e557b734e7 SHA-256: 2d7d1f0c8f698e1d1200615c40bbca4ec6abb6b07bd40602c8fd710110014439
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and uses \objupdate to force activation, indicating an attempt to exploit vulnerabilities or embed malicious content. The presence of objdata suggests the embedding of an executable or script that is likely responsible for downloading and executing a secondary payload. No specific family could be identified, but the technique is common for initial access.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010fb.bin
9ff8b5bf66c28c94e4a4981a3849410dae813ec7e7330ab984924dfebefa0371		 rtf-objdata-decoded RTF \objdata at offset 0x10FB 4183 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.