Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8a6766c68c97c3fd…

MALICIOUS

RTF / .DOC

32.3 KB
MD5: 21747471238a2868ab7568967d1d0520 SHA-1: 315ffcfb33157b4cb6623d3628d3a721f80c052d SHA-256: 8a6766c68c97c3fd5a719ec7fa7bb2414c2714945871fd569a2d35be95180835
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and is configured to automatically update and activate these objects, indicating an attempt to exploit vulnerabilities. The presence of RTF_OBJAUTLINK and RTF_OBJUPDATE heuristics strongly suggests the execution of embedded malicious content. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or family.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin
c518eda0bd0fdb37fcfa6737421e55189cf18c55ad4824b102f2b62c52f861cd		 rtf-objdata-decoded RTF \objdata at offset 0x3C 4143 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.