Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4b467537059ef742…

MALICIOUS

RTF / .DOC

228.2 KB
MD5: 849ca119321706df998263be7803700d SHA-1: 6fa120f7590eaf51a92379c4fbabcb0028a1db00 SHA-256: 4b467537059ef742a71a20ac4ccf65fc68ba223a760915cac95cc23dde1b8486
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an RTF document containing OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. While no specific document body content or scripts were extracted for direct analysis of user-facing lures, the heuristics strongly suggest a malicious payload is embedded and designed to be executed upon opening. The confidence is moderate due to the lack of explicit script content or user-facing text to confirm the exact delivery mechanism or payload type.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001533.bin
f7de668ef5d5e80ea4ed7708583e0f2416909db1f2ef32d49c1ab78765845c5e		 rtf-objdata-decoded RTF \objdata at offset 0x1533 3637 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.