Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 30910cd8f9de56b9…

MALICIOUS

RTF / .DOC

9.2 KB
MD5: ed546d0832f3d13b4c05a813b7460949 SHA-1: 4ed4027689a70838c382c62bd2a0aa03c65c5aff SHA-256: 30910cd8f9de56b9dbdb4157b9ddb769b52bef499cfebd0e7f35303cdf4968b5
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to embed and activate OLE objects. This is a common technique for delivering malicious payloads. While no specific family is identifiable, the method suggests a downloader or exploit delivery mechanism. The heuristics strongly suggest the file's malicious intent.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000124b.bin
cc0c8471a6645d5c4d1f222caca8be321c3124f1299580b323d43be1a9861104		 rtf-objdata-decoded RTF \objdata at offset 0x124B 1522 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.