Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9d127a03bdb54e7a…

MALICIOUS

RTF / .DOC

69.0 KB
MD5: 86ff80690f5bfc18462a446afe2c1e0d SHA-1: 20b921e69773142c98f9d3f8ba15c7edf6063e64 SHA-256: 9d127a03bdb54e7abd9ed0a6574e23f488c2d3265783d594e8ec7b549ab9e6e6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, and a heuristic indicates that \objupdate forces OLE activation. This suggests the document is designed to exploit OLE vulnerabilities to execute embedded code. While no specific script content is available, the presence of OLE objects and the activation trigger strongly imply a malicious intent, likely for delivering a payload or conducting a phishing attack. The confidence is moderate due to the lack of explicit script analysis.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018c3.bin
96305500e379c182eafa3a4353788c16bd8fa045e7ac4ac1dbc4993594478072		 rtf-objdata-decoded RTF \objdata at offset 0x18C3 3681 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.