Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3158cd594c16b0b0…

MALICIOUS

RTF / .DOC

19.3 KB
MD5: e4500cbd5856902256ccac61b3f4046e SHA-1: 00cecc7f2620135be21eed4bb14b20d80a7b6ecf SHA-256: 3158cd594c16b0b0c827fec80671cd6dc91c401b84f36af2b04c12e9d972fa36
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to trigger the execution of embedded objects. This is a common technique for delivering malicious payloads, often used in phishing attacks to trick users into opening documents that then download and execute further malware. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000d32.bin
03552a68af83af9b4a51f57d9b9613517f8e1c86a23c094baf5f1e0bbcf21156		 rtf-objdata-decoded RTF \objdata at offset 0xD32 1638 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.