Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 904a61a37592f6a7…

MALICIOUS

RTF / .DOC

596.9 KB
MD5: 6f5d62c6f42baa394f077306e9def9a4 SHA-1: 8933ee031cb19c1c1eb03b82fb3d940445d34d04 SHA-256: 904a61a37592f6a7c9e5db72bc097782911ac5992b17c2188ae9c6306c41c1e2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE vulnerabilities. This suggests the file is designed to execute embedded malicious content when opened. No specific family could be identified, and the document body was heavily obfuscated.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005ea7.bin
7c1e0cf2b2a05b2c8b2511bcd10e1148259d60fa43116eb8a77a6bb388bd3832		 rtf-objdata-decoded RTF \objdata at offset 0x5EA7 2478 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.