Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 73ec208dca54b5b0…

MALICIOUS

RTF / .DOC

115.1 KB First seen: 2026-02-12
MD5: 0305fe742b24876da5378b053dd4e861 SHA-1: e527d2c1ef2f102969ecf1754cbd6f685471c5e6 SHA-256: 73ec208dca54b5b0a5221b6d2373fa8369f8ed59296b65e6a130a9899067f506
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains OLE object data and uses an \objupdate directive, indicating it is likely designed to exploit vulnerabilities or execute embedded content. The presence of these indicators suggests a malicious document intended for initial access via spearphishing. No specific family could be identified.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014eb.bin
9ace602c7c536d62085f3fc6e28319cdc89b101b0c7cfba850cc77717d56de1e		 rtf-objdata-decoded RTF \objdata at offset 0x14EB 4182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.