Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8656e6ac8128b86c…

MALICIOUS

RTF / .DOC

20.1 KB
MD5: 68428a0f761adee938a376d9e4a3fe8f SHA-1: 038697775a5688398360375c0c02aab518559a9d SHA-256: 8656e6ac8128b86cb4ac70f0c69745256676bb01550f22915fbf9b95d8dd9c77
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and triggers OLE activation, indicating an attempt to embed and execute malicious content. The heuristics suggest a high likelihood of malicious OLE object execution. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ef2.bin
63bb218db8aec06a92889c586b89561c65af7ec49a0f42de0880944e9fabf0d1		 rtf-objdata-decoded RTF \objdata at offset 0xEF2 1859 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.