Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 91a4466204d8b24d…

MALICIOUS

RTF / .DOC

19.3 KB
MD5: 8d75bdd416f30cd9a7b55000a3a18b1e SHA-1: f43ecfcc0b127e1a793a468084b0c7ed1fc0547c SHA-256: 91a4466204d8b24daf9817220f49c54bd186066c9ec4b070ed2a77c1ea6299d9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating an attempt to exploit vulnerabilities or execute embedded objects. The high-severity RTF_OBJUPDATE heuristic suggests this is the primary mechanism for malicious execution. No document body or script content was available for further analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001583.bin
be1cfbb76d96345293bb196e3f651b183b15a2f2b3b0e6c87e157e9a43971c93		 rtf-objdata-decoded RTF \objdata at offset 0x1583 1760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.