Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 59ecdacad403e1fe…

MALICIOUS

RTF / .DOC

96.8 KB
MD5: 7620dffb4274bc19dec5a4fd566103b0 SHA-1: 7d81dbafa03b4be8193796302e69c28cc4dd70f7 SHA-256: 59ecdacad403e1fea285f25bab95455ebe2dbd3e4bc52f0d17176a811d358a8f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an RTF document containing OLE object data and a \objupdate directive, which are commonly used to embed and execute malicious content. The heuristics indicate that the OLE object is intended to be activated, suggesting an attempt to exploit vulnerabilities or deliver a secondary payload. No document body or script content was available for further analysis, limiting the ability to identify specific family traits or detailed attack steps.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b64.bin
d6e8a3f35d903414b16ca334de1c822531a6ba2ea1bf8464e9d30c0e9af73248		 rtf-objdata-decoded RTF \objdata at offset 0xB64 3681 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.