Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b4db7b178dd68def…

MALICIOUS

RTF / .DOC

120.8 KB
MD5: a4d1962db1a5e9c851dd8746bf9e83c1 SHA-1: 71eee842c0ef6bd5cb97e4e8d951d5ba3cffaeb7 SHA-256: b4db7b178dd68def9773a649ba7c887fe86774435ff2959615f13d5b16c991d1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and uses \objupdate to force activation, indicating an attempt to exploit OLE vulnerabilities. This mechanism is commonly used to embed and execute malicious payloads. No document body text or scripts were extracted, limiting the ability to determine the exact payload or family. The primary IOC is the extracted OLE object data.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c76.bin
dfebfa724698955cfc6cdcf81b4950c2c48afb0c6b4d872b45d3bc84bf666a97		 rtf-objdata-decoded RTF \objdata at offset 0x1C76 4279 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.