Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 47dcc6f46fb3f06b…

MALICIOUS

RTF / .DOC

183.5 KB
MD5: cec7af780a758175b0de32c03e8b1cb3 SHA-1: bc4ad52ad616100718b81bb0bb4628d676b7ef2c SHA-256: 47dcc6f46fb3f06b01f4adfcc0416945da3dd63764bc3fe315fc553947f18e13
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that these objects are configured to activate automatically upon opening the document. This mechanism is commonly used to deliver and execute malicious payloads. No specific family could be identified, and no document body or script content was available for further analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002051.bin
beeb0afce76a3b26721e237efd657e567e0905b3155a6e1e6080201c9da72e2c		 rtf-objdata-decoded RTF \objdata at offset 0x2051 1678 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.