Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 55e7a5f90d38a94c…

MALICIOUS

RTF / .DOC

47.8 KB
MD5: cf284f926e5e28e63300bb9e6d2f3d2c SHA-1: f4c2db91d66f25f8e3dadda661307c563cc0f596 SHA-256: 55e7a5f90d38a94c79dddc1156c1f2b74b2e8833a95bf6a7ae6ea74c613801c8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. This suggests the file is designed to execute arbitrary code upon opening, likely as part of a phishing or social engineering attack. No specific family could be identified.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000176f.bin
ee9ed7912e7faf8e06ae5ca8dde4016564d4d08953648ae6b249e77db57dab4e		 rtf-objdata-decoded RTF \objdata at offset 0x176F 1602 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.