Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b6d388a5c99007d0…

MALICIOUS

RTF / .DOC

20.1 KB
MD5: c0fdca263e55efcd823a4d177f97b397 SHA-1: 6c9e5403ec2575cbea6766b8a7789133360298dd SHA-256: b6d388a5c99007d073cd6e023334f5d3b3923711533ed13acd7de6f27284b4ec
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and uses \objupdate, indicating an attempt to exploit OLE activation. The embedded objdata artifact is likely part of the exploit chain. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the heuristics strongly suggest an exploit targeting RTF parsing to achieve code execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ace.bin
2f5f4b970eb1bd94a0cd0a77d3abb33579aacec3dc9afbfad63bab683291a802		 rtf-objdata-decoded RTF \objdata at offset 0x1ACE 1777 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.