Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a4a0fc5a3a192730…

MALICIOUS

RTF / .DOC

114.7 KB
MD5: 8c9ee6ed47f3c36f203543e8053624c9 SHA-1: 99af382b5dd02dd79e4e79478c8d710ddeb4a318 SHA-256: a4a0fc5a3a1927308af64aa86dd2830838c86f0dd713fb3aebc9135d6c040163
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to embed and activate external content. This suggests a delivery mechanism for a malicious payload, likely through user interaction with the embedded object. No specific family could be identified, and the document body was unreadable.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000128e.bin
fc3f92e86b3cf2247217e4a4c07c5a578cf5b24702ffd2eb21f2d88906211925		 rtf-objdata-decoded RTF \objdata at offset 0x128E 1817 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.