Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 48ccda2bbc0345a4…

MALICIOUS

RTF / .DOC

3.4 KB
MD5: 604792d0038f5b003e578c5b767ee3f8 SHA-1: 5b928a55b8b634c4d692769398f32b3d2e708660 SHA-256: 48ccda2bbc0345a419c6e9d538ea2ad22fc4a8bdd294025bfbd8640510ca24b1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be automatically activated upon opening, likely leading to the execution of malicious code. Without further script or body content, the exact payload and delivery mechanism remain unclear, but the core technique involves exploiting RTF parsing and OLE object handling.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000056.bin
04f5786a26197dbf335a52ac9b21f6cea25b69587e4025a0fe552d351291f9b7		 rtf-objdata-decoded RTF \objdata at offset 0x56 1611 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.