Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4a339be9625cdce0…

MALICIOUS

RTF / .DOC

3.5 KB
MD5: 687cc9b6f0355c70242f5340a969f00b SHA-1: b9bde56d0840946a0e92224005b39deb2ede0d0d SHA-256: 4a339be9625cdce0fbd33e3e62a402d3df1b82ba9428fcfd20cf1a6161deb9db
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to trigger the activation of embedded objects. This is a common technique for delivering malicious payloads. The specific exploit targeted is unclear without further analysis of the OLE object content, but the pattern suggests an attempt to execute arbitrary code upon opening.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000004d.bin
c6c2d5d9a58c1a029b8b8084ca254f0fbbd2b391885d57aecfe02cb52002b1bc		 rtf-objdata-decoded RTF \objdata at offset 0x4D 1669 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.