Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b0b64148df912f3c…

MALICIOUS

RTF / .DOC

154.8 KB
MD5: a393869e434c48d8280441c30e09b283 SHA-1: 1aee44c459b3145408ef3cf37fa7652b932ca4f9 SHA-256: b0b64148df912f3c7db2f4fa8e1fd0c64e8a9d4964f9451800efaf330a9c3edd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and triggers OLE activation, indicating an attempt to execute embedded content. While no specific document body text or scripts were extracted for direct analysis of intent, the heuristic firings strongly suggest a malicious OLE object is present. The exact nature of the payload is unclear without further analysis, but the techniques used are consistent with delivering a malicious payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000008d2.bin
8f161e0a51bf4f9da6943b3cd76c97998e391cefaa1bd0cba72c504e18f32f51		 rtf-objdata-decoded RTF \objdata at offset 0x8D2 1478 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.