Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3feaf09cd2a54a70…

MALICIOUS

RTF / .DOC

147.4 KB
MD5: 6a18fe27192f5107da8d40243b4e9aae SHA-1: fde9a1d60aca9f9432836c1307ee130ebba3fde7 SHA-256: 3feaf09cd2a54a70cbac8be7a9bf1aa1d36a55fc59ecd0cb9710f561858af876
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to execute embedded content. This is a common technique for delivering malicious payloads. Without further analysis of the embedded object, the specific family and IOCs remain unknown.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000182f.bin
a1324dc725b4827896608cd1cf76af6ff01efc232777bb18e6be71b44808a4ef		 rtf-objdata-decoded RTF \objdata at offset 0x182F 4155 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.