Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 84a75d4e08c6d28f…

MALICIOUS

RTF / .DOC

170.8 KB
MD5: 5676cadae61186b1b446ed78bb5ed8bc SHA-1: 9a379a28f7ba1d8e9806d04891095e488a931ef5 SHA-256: 84a75d4e08c6d28f7d358f95a77ad5af5e737de5e656bdfd6bbf006f456f831e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The file is an RTF document containing OLE object data and an \objupdate directive, which strongly suggests an attempt to exploit OLE activation for code execution. The heuristics indicate a high likelihood of malicious OLE object embedding. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000166c.bin
e5801c57b274a6312368c7d677f7db75e9f6a13821a5a500a30a909b9b595f44		 rtf-objdata-decoded RTF \objdata at offset 0x166C 1587 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.