Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 aecfdb1ab24ac86f…

MALICIOUS

RTF / .DOC

81.6 KB
MD5: 91b056d2861b77de5bf65f7e5e695c99 SHA-1: c0ec6434afbc4e75d4482dfa9c87ed714c08b9ae SHA-256: aecfdb1ab24ac86fac57c8e7e4f61ab19881695356937547d198aefa614fa42d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The file is an RTF document containing embedded OLE object data, as indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated, likely leading to the execution of malicious code. The document body contains heavily obfuscated and nonsensical text, which is common in lures designed to mask malicious intent. Without further script analysis or network indicators, the exact payload and family remain unknown, but the OLE object activation points to a delivery mechanism for malware.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000076e.bin
b6140292ec2bd0076d4b70caba617e0e18ce0bca070decd8f5e5ddcb7258bbba		 rtf-objdata-decoded RTF \objdata at offset 0x76E 4689 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.