Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8f66ac47c0fd7182…

MALICIOUS

RTF / .DOC

66.3 KB
MD5: 8c26f47ba03e8ae966c8175a022b6b18 SHA-1: 9e95821756a6dfeb53383fc4bc4babb65356065a SHA-256: 8f66ac47c0fd7182140247746b0f85994320ea9538448f03a9dd2925d513180d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit a vulnerability associated with embedded objects. The high-severity RTF_OBJUPDATE heuristic suggests that the embedded object is designed to be activated automatically. While no specific exploit or payload is directly visible in the provided snippets, this pattern is commonly used to deliver secondary malware. The lack of document body text or script content limits further analysis of the specific lure or payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000e16.bin
76a873f4da5343d1bda4539c2bd8fa1aaf2d12d38ee7b8230f92be8150035149		 rtf-objdata-decoded RTF \objdata at offset 0xE16 3654 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.