Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4060abf7b75e0240…

MALICIOUS

RTF / .DOC

11.9 KB
MD5: 527458a20d961c482beb38ed150aeea5 SHA-1: 4000f60e019475ea15549b8c3cad2bf99db81e3a SHA-256: 4060abf7b75e024090fbd2cb937a60f50698334db53a04f3d82a96bbdd823719
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. This is a common technique for delivering malicious payloads. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000e89.bin
c0fb683eb98c5826526e00423ae388bbef20f42697c66766cce517d807c5e4ba		 rtf-objdata-decoded RTF \objdata at offset 0xE89 1463 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.