Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 44550b58e9a7358f…

MALICIOUS

RTF / .DOC

45.4 KB
MD5: adc84a49bc9d3f514f9937874124554c SHA-1: 267c090f5585e42421ee69d489cd0108a996d37e SHA-256: 44550b58e9a7358f990de097e3d6bfe0a06289f8827808b5c4ec416a36de92c7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to embed and activate external content. While no specific script was extracted, the presence of OLE objects strongly suggests an attempt to deliver a secondary payload. The document body is heavily obfuscated and does not provide clear user-facing text, making the OLE object the primary indicator of malicious intent.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000146d.bin
5a83d0cc3061814870f1b33f578457f12996a48197a1d3d075f89bb97ddb8cde		 rtf-objdata-decoded RTF \objdata at offset 0x146D 4159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.