Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 392a0b18b2d55be9…

MALICIOUS

RTF / .DOC

246.0 KB
MD5: a4860d282b10ab1687a8b09bad9eae37 SHA-1: a60ef2bbfee26dea85f2bb743a5418d09562b222 SHA-256: 392a0b18b2d55be9b31397928a79ac71c9960153c4e245fad9c91752e6d3e2d5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and is configured to automatically update and activate these objects. This indicates a likely attempt to execute embedded malicious code upon opening. No document body text or scripts were available for further analysis, limiting the ability to determine the specific payload or family.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000017dd.bin
365359551fe60ad7dba5de8c3a9ba27b7b751bf2f9d1c48590219b24f4609dbf		 rtf-objdata-decoded RTF \objdata at offset 0x17DD 4172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.