Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8f8f4ccbf56a0e47…

MALICIOUS

RTF / .DOC

217.9 KB
MD5: e8679a2501848fb30059531ed33da328 SHA-1: f8a3307c32458dc77048da34b430097024339afd SHA-256: 8f8f4ccbf56a0e47e3b16d141a488fb2aebfab7457818bff15dfc0dbc8a581f7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be automatically activated upon opening, likely exploiting a vulnerability to execute arbitrary code. Without further script or body content, the specific payload and delivery mechanism remain unclear, but the intent is to leverage OLE object execution for malicious purposes.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000a3.bin
cf3c02d180b2090f4fa50af0830e001f92c841fc75d68249314efc9d0b92405a		 rtf-objdata-decoded RTF \objdata at offset 0xA3 70722 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.