Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 98dfe73666e5de3e…

MALICIOUS

RTF / .DOC

14.8 KB
MD5: a4dd5e2511a93875e2e3baacc3b774e2 SHA-1: 2feb63264ab7b402adb77aab4f4198033bc88a06 SHA-256: 98dfe73666e5de3e3a9bd68ccf7f13d44ae0069f37936b0e27141d97fcc36185
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to exploit OLE vulnerabilities. The heuristics RTF_OBJAUTLINK and RTF_OBJUPDATE strongly suggest that embedded OLE objects are being activated to execute code. While no specific payload or URL was extracted, this mechanism is commonly used to download and execute second-stage malware. The lack of readable document body text and scripts limits further analysis.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000630.bin
126b7f37ba1d850cf3f73088b97bdca029face2e166d02695cb1d8f8f86edb2c		 rtf-objdata-decoded RTF \objdata at offset 0x630 1350 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.