Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9d221db2c9a129c0…

MALICIOUS

RTF / .DOC

520.3 KB
MD5: 6b8d163654971e9be2061071087cb275 SHA-1: 0a378b8c9eb9f238e7a029b43c8ff7a13cd78fc1 SHA-256: 9d221db2c9a129c0c07803e8fbbb1485269adeeafad9abb179bc7aa2b48b774b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an object update trigger, indicating an attempt to execute embedded content. While the document body is heavily obfuscated and unreadable, the heuristics strongly suggest that the file is designed to exploit OLE object handling to run malicious code. No specific family could be identified, and the primary IOC is the extracted OLE object data.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000008bf.bin
83e120b31c9bf3c6a44f86e2e9cd40cc1bcd83a970cd3f449b3eec22be3d0ab1		 rtf-objdata-decoded RTF \objdata at offset 0x8BF 20505 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.