Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b961ccf95a1b62bc…

MALICIOUS

RTF / .DOC

14.3 KB
MD5: c096363839d50b5fcde04f623ff0a022 SHA-1: f19ce2c3d288eeae541d289f8437cface969283b SHA-256: b961ccf95a1b62bcf5d14dc56c1f6cdd86d9c1c2d19dfcfde6cc3d4eb35936d0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated, likely leading to the execution of malicious code. No document body text or scripts were extracted, limiting the ability to determine the specific payload or family. The presence of OLE object data strongly suggests an attempt to exploit the user's interaction with the document.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000dd5.bin
c1c42580f9db2318f00d74655f827cec02845c4a38607e90c9e16817b16a50a4		 rtf-objdata-decoded RTF \objdata at offset 0xDD5 1789 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.