Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8cf1c5210fd39222…

MALICIOUS

RTF / .DOC

109.1 KB
MD5: 29c676f8f014aa8d21bc2a4bee0b2555 SHA-1: bbc1a10743a3e05a9005598e45901d7a44786869 SHA-256: 8cf1c5210fd39222aaad8ac6c49d17f04d1c7b781093d4eeb7e43af135272635
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to activate embedded objects. This strongly suggests an attempt to exploit vulnerabilities or execute embedded code. While no specific script was extracted, the presence of OLE object data is a common delivery mechanism for malicious payloads.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010f0.bin
a81ec2c4111b755599ec307bba3d15805815934803697899fa7e82ed58f12da8		 rtf-objdata-decoded RTF \objdata at offset 0x10F0 4268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.