Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bc7549c1281f3ce4…

MALICIOUS

RTF / .DOC

253.1 KB
MD5: 6915f69d14b887a24482b87c5d3b6b84 SHA-1: d92ffc99f5ef1286e231449360659a281f73f878 SHA-256: bc7549c1281f3ce45abcaad7408522374c97421e9031998b7959bd5e59b27a93
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains embedded OLE objects, with a specific heuristic indicating that \objupdate forces OLE activation. This suggests the document is designed to exploit OLE object handling to execute arbitrary code. The presence of embedded OLE objects and the forced activation heuristic strongly indicate a malicious intent, likely to deliver a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000ca.bin
fdcc23a66e0ad20c02aa636d223812de56293cdeeacaba48b9979dddaf8a2a39		 rtf-objdata-decoded RTF \objdata at offset 0xCA 15672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.