Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 afc92e46e62ea46b…

MALICIOUS

RTF / .DOC

78.3 KB
MD5: 61fc208a90b878bc170df0481a9da31d SHA-1: 3729eb3e78cbb43fa12330d7058a647317815269 SHA-256: afc92e46e62ea46b0d8e2c2af3670968d76e60d6748ee9b58457965bd06db2e1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The file is an RTF document containing embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be activated, likely exploiting a vulnerability in Microsoft Office. While no specific exploit is identified, the presence of OLE objects and the update trigger strongly suggest an attempt to execute code. The document body is heavily obfuscated and does not provide clear user-facing content, further supporting a malicious intent. The SHA256 hash is included as a primary identifier.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001167.bin
56934da4f246ad9df494e2a71ce82eb39b3917081ea54ec521974ca4c8135d68		 rtf-objdata-decoded RTF \objdata at offset 0x1167 3669 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.