Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bfb16a23852c1e8f…

MALICIOUS

RTF / .DOC

4.5 KB
MD5: e7a18c05d4deda45f9e675a7323a8499 SHA-1: 0e7109e6b251f80c4bbd9156e7ef68416d694bcf SHA-256: bfb16a23852c1e8fa3d36852d35bd761b0cb09bd6566e6775f4beba767afb6ef
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data and triggers an OLE activation via the \objupdate directive. This indicates an attempt to exploit a vulnerability, likely to execute arbitrary code. The document body is heavily obfuscated and does not provide clear textual lures. No scripts were extracted from this sample. The primary IOC is the file hash itself, as the attack relies on the file's structure and embedded objects.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000526.bin
0ec99aebf32c4c5bd38d5f43f67724e0fe01d53f2df53d1cd7e017edf28d06fc		 rtf-objdata-decoded RTF \objdata at offset 0x526 1597 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.