Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8554564666c0b408…

MALICIOUS

RTF / .DOC

120.0 KB
MD5: 9048d9d2932934827c47c11a4e98accd SHA-1: 4253564cb2e358338f0384d09f970796b6bac5c7 SHA-256: 8554564666c0b4080197e577fa4ec1d2c4207af99d7df1ab40f3fd71f043f935
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains embedded OLE objects, and the \objupdate directive indicates an attempt to activate these objects. This strongly suggests an exploit targeting OLE object handling to achieve arbitrary code execution. No document body or script content was available for further analysis, limiting the ability to identify a specific malware family or payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000017e7.bin
7599cf036700b9c262cfe6982a06276187629d1a66fbdf3d6bf756edc690b7fb		 rtf-objdata-decoded RTF \objdata at offset 0x17E7 4253 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.