Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5fd42210bee4eb86…

MALICIOUS

RTF / .DOC

564.6 KB
MD5: d584d49bc30740a3bb484496c4caebe4 SHA-1: 9ef14694a5e1484b2e89643e4c5e20c5d2b994ac SHA-256: 5fd42210bee4eb860402b1f3cf1b37d3de88e2b7454ef79d4770bc253a11205a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains embedded OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling. The heuristic 'SE_ENABLE_LURE' confirms the document instructs the user to enable editing, a common tactic for macro-based malware droppers. While no specific scripts or URLs were extracted, the presence of OLE objects and the lure suggest the file is designed to execute a secondary payload upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00030b8b.bin
a71395b7c2646a3ff132cc24ae9df576421c5d27234f99cc6d21448475b96463		 rtf-objdata-decoded RTF \objdata at offset 0x30B8B 1609 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.