Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6d7e1e9d797fa68a…

MALICIOUS

RTF / .DOC

108.6 KB First seen: 2026-02-12
MD5: 3686117b5689bf6a08117f5494789345 SHA-1: 542daeba9d5defc87083ead64d32239c12de984b SHA-256: 6d7e1e9d797fa68a5928d1d9b392166f8206d3965107777b67bcbe4c555147ea
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and a \objupdate directive, which are commonly used to trigger the execution of embedded exploits. This suggests the file is designed to exploit vulnerabilities in OLE object handling to achieve code execution. No specific family could be identified, and no further IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000006aa.bin
efa161e211fb6a0918834c302ca9f33a6d4b74fb3ac80adef833202db43cb417		 rtf-objdata-decoded RTF \objdata at offset 0x6AA 4182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.