Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4ed83a1bad983590…

MALICIOUS

RTF / .DOC

16.7 KB
MD5: 9c973769243aaaf6f2bbe7e20881db66 SHA-1: c2de18f22faf61587d2e8464dede12f948d488f7 SHA-256: 4ed83a1bad983590c8ac5e29c310b5a275e0c1f587956c6016bbb598afa246e2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to embed and activate external content. While no specific payload or URL was extracted, the heuristics strongly suggest a malicious OLE object is present. The document body is heavily obfuscated and unreadable, preventing a more specific analysis of the lure.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ba4.bin
b4af75ac28a6d0d216a9e4356f7961ab633cfd8d8b7cc17ec5a289ee04e27a90		 rtf-objdata-decoded RTF \objdata at offset 0x1BA4 1625 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.