Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a5345131f33d6bda…

MALICIOUS

RTF / .DOC

14.6 KB
MD5: 9c0fd77227dc7dbd1117b41358fad2ad SHA-1: b5bb62de7a09c6ffc647a01d57410d9665686426 SHA-256: a5345131f33d6bda947f24b472c3802033cbb0d1c4b8d85dd3aaf2d99239b13b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains OLE object data with automatic linking and update triggers, indicating an attempt to embed and execute malicious content. The heuristics suggest that the file is designed to exploit OLE object vulnerabilities to activate embedded content. While no specific document body or script content was available for detailed analysis, the presence of these OLE-related heuristics strongly points towards a malicious document designed to exploit user interaction or automatic activation upon opening.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001359.bin
cbcbc5b716c178f4f192d828613199c17dc8f902e6ccfcd907b0d1582449c045		 rtf-objdata-decoded RTF \objdata at offset 0x1359 1641 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.