Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 315b35059792a62e…

MALICIOUS

RTF / .DOC

12.5 KB
MD5: 14be4834507505c85ed0790ceeebe5ba SHA-1: 61e1afbec7f215e598a424614bb43df95e5d4fbc SHA-256: 315b35059792a62e53ef2443f0fd5ce87509a4b7d9c84b3a679940ef785adb42
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that these objects are designed to be activated automatically, which is a common technique for delivering malicious content. The document body is heavily obfuscated and does not provide clear textual clues about the intent. No scripts were extracted from this sample. The confidence is moderate due to the lack of clear payload indicators beyond the OLE object activation.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000bd9.bin
41b4665e3ee944af0c8ec9164f4fbbf6da2d733ca4d6ff241d9a575356f7fab9		 rtf-objdata-decoded RTF \objdata at offset 0xBD9 1488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.