Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ac11eb0a71280651…

MALICIOUS

RTF / .DOC

13.8 KB
MD5: 6b0a4d82bc496e6b8e79daaebfc60cf4 SHA-1: 00a5603d2b7879fe19eac4581fe5ee81aae3c6e6 SHA-256: ac11eb0a7128065149275f500eb8fc4116d266b6e7499e0f871918f8bfd3d9a1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains embedded OLE objects that are automatically linked and updated, indicating an attempt to exploit user interaction to activate malicious content. The presence of `RTF_OBJDATA`, `RTF_OBJAUTLINK`, and `RTF_OBJUPDATE` heuristics strongly suggests this attack vector. The exact payload or download mechanism is not discernible from the provided evidence, leading to a lower confidence in family attribution.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001375.bin
269404c1f8ac2108abb6138c8509c302d83493b170d5123fac30102a1782d06d		 rtf-objdata-decoded RTF \objdata at offset 0x1375 1767 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.