Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9b77cf0e25c52893…

MALICIOUS

RTF / .DOC

4.0 KB
MD5: 5bf8ee2724a5958b9ebf525d36768e84 SHA-1: 4e0e0bc7a05925eda37cdf562cd40134795a490b SHA-256: 9b77cf0e25c52893c8a85dc38f617fad7ae29837298e4840e8f71d55cfdb6a97
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be automatically activated upon opening the document, likely leading to the execution of malicious code. Without further script or body content, the exact payload and delivery mechanism remain unclear, but the intent is to exploit the user's interaction with the RTF document.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000071.bin
da63fe570d28fdee8782f53f5cfb26ff658c265a6ec028c7f654b34f049bbcef		 rtf-objdata-decoded RTF \objdata at offset 0x71 1911 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.