Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 419478873ce76f1f…

MALICIOUS

RTF / .DOC

108.7 KB
MD5: 9914d25b90b6981c0b163854ab33072c SHA-1: 1026303e4a0c8059186093153157dc259fe46776 SHA-256: 419478873ce76f1f00d4f8fd00f9f9a3bd7e9007e5c1cf60e4884ce2514df05c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and triggers OLE activation via \objupdate, indicating an attempt to execute embedded content. While no specific script or URL was extracted, the heuristics strongly suggest a malicious OLE object is embedded, likely intended to download and execute a secondary payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000206e.bin
32ddc92b98c3d78a87360e3f7f2a9424b3d6c1f9b60b6fd48cce14dbc39ecb4a		 rtf-objdata-decoded RTF \objdata at offset 0x206E 1804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.