Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9e8f3dd98b5db2fa…

MALICIOUS

RTF / .DOC

19.1 KB
MD5: adf2dfc27da038d24264a469ac108b9a SHA-1: 4959f49683d3185a23ca334cb3af4732482ab199 SHA-256: 9e8f3dd98b5db2fa595ec065a8764402eb5366cb113a280730aaf4ae57755cc0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The sample is an RTF document containing OLE object data, which is a common delivery mechanism for exploits. The \objupdate heuristic indicates that the document is designed to force OLE activation, strongly suggesting an attempt to trigger an embedded exploit. While no specific script was extracted, the RTF structure and heuristic firings point towards a malicious document designed to execute code upon opening, likely for payload delivery.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000013fd.bin
426a2c77960e3a742bc4e0085b42d8fbb2b060f1ca51514b5ee1945e7ad124ac		 rtf-objdata-decoded RTF \objdata at offset 0x13FD 2014 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.