Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ae57ca5e5949a61c…

MALICIOUS

RTF / .DOC

142.1 KB
MD5: 52978b3c6c5147d528ad875cb55075ae SHA-1: c6290de3b323984523cdc033a0c503d8e8ac0ef6 SHA-256: ae57ca5e5949a61cbd760060312b9e31a932cedec6026a4b99b0254af954d863
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains embedded OLE object data and uses an \objupdate directive, indicating an attempt to automatically activate and execute embedded content. This is a common technique for delivering malicious payloads, often used in phishing attacks to trick users into opening malicious documents. No specific family could be identified, and no further IOCs were extracted from the limited document body.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001683.bin
153891df775985f86381606afe95e9a9d15228ee161e2eda4583e5b052b359e1		 rtf-objdata-decoded RTF \objdata at offset 0x1683 4181 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.