Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a95c55c12d459802…

MALICIOUS

RTF / .DOC

117.8 KB
MD5: 4f2320ab32d8d5dcb38f44e176d140de SHA-1: e631d63aefb8c6828c795d676ea98e5f1a4a3203 SHA-256: a95c55c12d4598020ccab54ece8391a86b901baa150330f3f1e7ac16330c08a0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and is configured to automatically update and activate these objects. This indicates a likely exploit targeting OLE object handling to achieve arbitrary code execution. The heuristics strongly suggest the document is designed to trigger an embedded exploit. While no specific payload or URL was directly extracted, the mechanism points towards a downloader or dropper.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000199e.bin
ad8c7ee95702cd1352cbca2849db5467e784b6e04c05fc4a2f9bd0680ccb2c7f		 rtf-objdata-decoded RTF \objdata at offset 0x199E 4249 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.