Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a9754359eb3dc1f8…

MALICIOUS

RTF / .DOC

98.4 KB
MD5: 9841841a47917cc5af32082b34260ec7 SHA-1: 2c054e1419dcb7b7bb29c674e0942da0a07d8ca2 SHA-256: a9754359eb3dc1f86474f60b539ead7c50792bec9aa3bc6e633a4a0300101c4a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to embed and activate external content. While no specific payload or script was directly extracted, the presence of these RTF-specific indicators strongly suggests a malicious intent to exploit OLE object activation for delivering a secondary payload. The confidence is moderate due to the lack of directly executable code or network indicators.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000012d5.bin
9e1910eb84e8219ed777d722fe9768627b08e98b6d9265ba8237d6b5b44fb8da		 rtf-objdata-decoded RTF \objdata at offset 0x12D5 4262 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.