Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 33a9fcd2f5bc9911…

MALICIOUS

RTF / .DOC

10.1 KB
MD5: fd84372795d0d557fac5684710509e8d SHA-1: fd4ca47bfd654dc5f333e504988a06b6005d3f21 SHA-256: 33a9fcd2f5bc9911277c8fa0548ac4aa9835226a834eb89e785374a0dae45b86
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling vulnerabilities. This suggests the file is designed to deliver a malicious payload upon opening. No specific family could be identified, and the document body was too truncated to provide further context.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000122b.bin
2f19b467f98215b3715a7f830c9140cc5cb5fb1946d5ac6ad0825a0eba470a56		 rtf-objdata-decoded RTF \objdata at offset 0x122B 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.