Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bd604a96655563c0…

MALICIOUS

RTF / .DOC

91.4 KB
MD5: 8b973d047892526553d0120444afe84b SHA-1: a67ed36a36444fbe8e73fa9960d31f667f17b0de SHA-256: bd604a96655563c00aa901c1a10386b93666c3d7dd55e65dfaf298e3f329fbb9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and triggers an \objupdate event, indicating it's designed to embed and activate external content. While no specific script was extracted, this technique is commonly used to deliver second-stage payloads. The SHA256 hash is provided as a primary IOC.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c81.bin
7d4af9b703d05fff1ef4e41b8eca0652aa4a09dd5832f921de15bea7c9e74225		 rtf-objdata-decoded RTF \objdata at offset 0xC81 1745 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.