Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 597c463e74b0697d…

MALICIOUS

RTF / .DOC

161.8 KB
MD5: 67d981098720f9d22af464722e7c58bc SHA-1: b3c1e6f94f680fc611462ca3390d1660fdbe5df2 SHA-256: 597c463e74b0697d465f30bf59e37d1fa3c769da6a1bf019279f204c7f50b81b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses \objupdate to force activation, indicating an attempt to exploit vulnerabilities or execute embedded content. The presence of an embedded OLE object suggests a delivery mechanism for a secondary payload. No document body text or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000194e.bin
aceec5d955969a0a4b31360ad4c9d046d91084319ffd666627442024475d2c7e		 rtf-objdata-decoded RTF \objdata at offset 0x194E 4673 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.