Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2f0e65a41a01d546…

MALICIOUS

RTF / .DOC

22.5 KB
MD5: 4a8a0f36f75b6e4f4fd146e8f05b7228 SHA-1: 76fa5f73ffd086193ccf568f759b97f233f22c49 SHA-256: 2f0e65a41a01d5467b2350ed0aa21947d249e3d400dcb40f8c80438ca15282c4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to embed and activate external content. While no specific document body text or scripts were provided for analysis, these heuristics strongly suggest a malicious intent to exploit OLE object activation for payload delivery. The confidence is moderate due to the lack of further content to confirm the exact execution mechanism or payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015a3.bin
2440b2437ca96f9b051555855645a41b85bcad9adf8faa5f78c52319ddbd08bd		 rtf-objdata-decoded RTF \objdata at offset 0x15A3 2221 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.