Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7733ecaadce1d569…

MALICIOUS

RTF / .DOC

88.1 KB
MD5: dc601a25a354e86d7d4e7d482635027c SHA-1: 6f3f0c051651cf500dc987ef57088463aa4e1c99 SHA-256: 7733ecaadce1d569c6cb5b7700a86927951509e08aad5bbe95308e72719246eb
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The sample is an RTF document that contains embedded OLE objects, as indicated by the RTF_OBJDATA and RTF_OBJEMB heuristics. The RTF_OBJUPDATE heuristic suggests that these objects are designed to be activated automatically, which is a common technique for exploiting vulnerabilities or delivering malicious content. The document body is heavily obfuscated and does not provide clear textual clues about its intent. Given the heuristics, the most likely attack pattern is the use of embedded objects to execute malicious code, potentially leading to a second-stage payload download or execution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001385.bin
3a1e8f5b41f38d3a8272e39482e1db643fcc11ebb6aaa686a2450ad0bf8f8a94		 rtf-objdata-decoded RTF \objdata at offset 0x1385 4691 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.