Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 574dbdb390707d18…

MALICIOUS

RTF / .DOC

76.6 KB
MD5: 5bcf6ebc662a1d391511345c88de0b15 SHA-1: 16afcfba8f96dfe68a97da7c1554b7fe6e0666cd SHA-256: 574dbdb390707d1894fe15eaddad927f59ff0055eff7ff3fcf7d97741d5b8a5b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing embedded OLE object data, which is triggered for activation by \objupdate. This indicates an attempt to execute embedded malicious content, likely for initial access. The specific payload and its ultimate goal are not clear from the available heuristics, hence the unknown family attribution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a19.bin
a0f74c6fdcc9397749f51b53e22c24585d64ea4c5c0cb762d95dac5cee0fdfc9		 rtf-objdata-decoded RTF \objdata at offset 0x1A19 1851 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.