Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a66d3d8a9929d439…

MALICIOUS

RTF / .DOC

15.9 KB
MD5: 7106de834f0764343afec0717ad34707 SHA-1: 9669819832184c375ac7b6755f01e69e768bbda5 SHA-256: a66d3d8a9929d439176d866dccc4492e0838bb5b17cffe44f1f9ee1373b211a7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an RTF document containing OLE object data, as indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated, likely leading to the execution of malicious code. No document body text or scripts were extracted, limiting the ability to determine the specific payload or family. The confidence is moderate due to the lack of further details.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018e1.bin
818c43056b0b29bb0c53a9f8a030e5044cac3a2ed86c37ae63df20124529b0e1		 rtf-objdata-decoded RTF \objdata at offset 0x18E1 1616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.