Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a975f16523a953c7…

MALICIOUS

RTF / .DOC

17.2 KB
MD5: 528db288b62ebd4759b3ef15fdef0229 SHA-1: bc669e075ffe24e90262155db8a82e1c3e43d6d8 SHA-256: a975f16523a953c7bd1e6247fa23e663d2d1f82a8c01f425967b60e18d17ecc6
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The sample is an RTF document containing OLE object data and an \objupdate directive, indicating it's designed to exploit OLE activation. This strongly suggests a malicious intent to execute embedded or linked content. While no specific family is identifiable, the technique points towards a downloader or exploit delivery mechanism. The lack of readable document body text and scripts limits further analysis of the specific payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000201f.bin
52a31c42c58902d3868ecb0512a710e1722d302b155a6582c066550cd788e329		 rtf-objdata-decoded RTF \objdata at offset 0x201F 1849 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.