Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8f1db486c43c5492…

MALICIOUS

RTF / .DOC

19.4 KB
MD5: 868b036161ccd2f09fac9821e2af5986 SHA-1: fea1991407a9d0259ee46c7452888838330a37f1 SHA-256: 8f1db486c43c5492f1c6fec1a50d2ed9254534689b7249778b0ae33f93162cc7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and triggers an \objupdate event, indicating an attempt to exploit a vulnerability. The presence of objdata suggests embedded executable content or a mechanism to download and execute it. The specific exploit is not immediately clear from the provided heuristics, but the overall pattern points to a malicious RTF file designed to compromise the user's system.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000217d.bin
38a2e9d38d15ab2582ddf933e5d79b3295435f1a2555d5a62a206d3ec272b39e		 rtf-objdata-decoded RTF \objdata at offset 0x217D 1914 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.