Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 55ad4ac2450e2605…

MALICIOUS

RTF / .DOC

274.8 KB
MD5: 4431a4970e30c3b32b20c8eecbc39bdd SHA-1: 55e404418e5bb7bd89ebc029d4d9e47a140f04f5 SHA-256: 55ad4ac2450e26055ced2505ee75ae71123c04ab1ba9b1b9acd541d602dd36a5
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit vulnerabilities or execute embedded content. The presence of OLE object data strongly suggests the file is designed to deliver a secondary payload or exploit. No specific family could be identified from the available heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001259.bin
39cad65aada00c5977346f50bea2b4381af4369213ebc0b82ec173e818654a21		 rtf-objdata-decoded RTF \objdata at offset 0x1259 4707 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.