Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 af6080eb192c732f…

MALICIOUS

RTF / .DOC

17.3 KB
MD5: 77e3cab6aea3ab9d21f615f00571c949 SHA-1: 23c989d592ee66c863a5eaceae420a9a803982be SHA-256: af6080eb192c732f995fb809ddea9e15ac7d3b3408c1f6e2c7e42cf35db94daf
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains embedded OLE objects, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that these objects are configured to activate automatically upon opening, which is a common technique for delivering malicious payloads. No document body text or scripts were extracted, limiting the ability to determine the specific payload or its intent. The confidence is moderate due to the lack of script analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000006b2.bin
245eac1caa9809295111a4f46e5464294dcc801ad45033b72e5ec7211d0709ec		 rtf-objdata-decoded RTF \objdata at offset 0x6B2 1737 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.