Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a0c03db332b594a3…

MALICIOUS

RTF / .DOC

11.5 KB
MD5: ab09266a8f8f9014a40b8a10a02b8026 SHA-1: dc8db8dc7e1c0674be9f9bd91a678a07de2cb22a SHA-256: a0c03db332b594a3457aa04fe562931e88075fdf8db8b55e163dc27dda16c0f4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and uses \objupdate to force OLE activation, indicating it's designed to exploit embedded objects. This suggests a delivery mechanism for a secondary payload. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b50.bin
7d7e94a39913aaf05e1f74f57496b7a1bc2cc602bbc390d3eaa6abe3cb22e543		 rtf-objdata-decoded RTF \objdata at offset 0x1B50 1781 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.