Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 be23c616909aa059…

MALICIOUS

RTF / .DOC

91.5 KB
MD5: 846f9a72a2156cd3343b463ab9c3aa0c SHA-1: cdefdbef9e269233b8378dc401d6f1cb5adb726f SHA-256: be23c616909aa059d3a01331975722e0f8c886fbdd0ed60622489e2aadddd624
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The file is an RTF document that contains embedded OLE objects, triggered by \objupdate directives. This indicates an attempt to exploit vulnerabilities or trick the user into activating embedded content. The heuristics strongly suggest that the RTF object data is intended to be executed, likely leading to a second-stage payload. No document body or script content was available for further analysis, limiting the ability to determine the exact nature of the payload or specific attack vector.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000011ab.bin
88922822d0798f6d1d750950ebb2bcbb9b435699c9a1b97a58ed462407ba2a46		 rtf-objdata-decoded RTF \objdata at offset 0x11AB 4186 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.