Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8207410a6b7adfa5…

MALICIOUS

RTF / .DOC

89.5 KB
MD5: 53e847ec2d54da6ec87b78333f63ad3f SHA-1: 9bd5648130ec4a66c42fce3638de0b67a372daa1 SHA-256: 8207410a6b7adfa5c4f8967fa3fe67a8de029d51681069dc97da7cea97f219fb
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated, likely leading to the execution of malicious code. No document body text or scripts were extracted, making it difficult to determine the exact payload or family. The confidence is moderate due to the lack of specific script or body content.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f9b.bin
ed0975ef8cc0db42f414f5ee51912fb8540f354599b740f36ebe72531431f9fa		 rtf-objdata-decoded RTF \objdata at offset 0xF9B 4700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.