Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5fba448b5311f57b…

MALICIOUS

RTF / .DOC

18.4 KB
MD5: d217fe27a84b00ccd9cc9da4ef685f24 SHA-1: 5cab72d512eb24304845365708561bf073078678 SHA-256: 5fba448b5311f57b72305e3cf35200a3287ef967b3c6e687df63d042ded3a407
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to activate embedded objects. This strongly suggests the file is intended to exploit vulnerabilities or deliver a secondary payload upon opening. No specific family could be identified from the available evidence.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b91.bin
635dd127512e1450e47982ff29e6cb292bfa4a0fa85c64e71893cb7b912c437e		 rtf-objdata-decoded RTF \objdata at offset 0x1B91 1761 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.