Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8bf1a6585351707c…

MALICIOUS

RTF / .DOC

9.9 KB
MD5: a7a9d48b3ac7cda3669bbf0f820e7827 SHA-1: 58a6e3e92a9de0e6ffddb520f55b3065b9e6323b SHA-256: 8bf1a6585351707c17fd18446c873d1f9238e15827ab8c237dd4206520f070a0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains multiple indicators of malicious OLE object embedding, specifically RTF_OBJDATA, RTF_OBJAUTLINK, and RTF_OBJUPDATE. These heuristics suggest that the document is designed to automatically activate and update an embedded OLE object when opened. This mechanism is commonly used to download and execute a second-stage payload. No specific family could be identified, and no URLs or scripts were extracted to further detail the payload or its delivery mechanism.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001251.bin
5764ba6588ae419e8c1a6e73cba64462b65f7df37d5cfda047ef1b719a0c23d7		 rtf-objdata-decoded RTF \objdata at offset 0x1251 1759 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.