Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 592b50efdcb6690b…

MALICIOUS

RTF / .DOC

16.5 KB
MD5: 0cd76114af5f03f850d740ae491f5d74 SHA-1: 6385a4873d0a64076b01e93ff3045c47bc967082 SHA-256: 592b50efdcb6690b7f6d6c04b84eda74813d1bc040d9a6bf348afabfdc65fb4a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to embed and activate external content. This suggests a delivery mechanism for a malicious payload, potentially exploiting OLE vulnerabilities. The specific nature of the payload is not clear from the provided heuristics, but the presence of OLE objects points towards an attack pattern focused on exploiting document structures.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c09.bin
29abdce13f4dcf8b8920a3692c934e048b89ff1eea6586de1f659873282f9319		 rtf-objdata-decoded RTF \objdata at offset 0xC09 1419 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.