Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a7321ea459e93c9d…

MALICIOUS

RTF / .DOC

90.3 KB
MD5: 40fc6f9570369cbfdbc9888b69b878f2 SHA-1: 699564b59b41a56a9ad8ed7becf450d6bed085ea SHA-256: a7321ea459e93c9d3bb6b46f2757c33202cd115971dd6470f9e1389d54005a44
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and triggers OLE activation, indicating an attempt to execute embedded content. While no specific script was extracted, the heuristics suggest a malicious OLE object is present, likely leading to further payload execution. The file's SHA256 hash is provided as a primary IOC.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bbe.bin
0ba6286f201be45fd91d2d3a57f4af8b2cb5d798eb6a41d31f4b8d92bfe1ba60		 rtf-objdata-decoded RTF \objdata at offset 0x1BBE 4285 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.