Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c2c1af7acc406790…

MALICIOUS

RTF / .DOC

50.7 KB
MD5: 9ac435b7bb3b69d126ae2df8a4bf8956 SHA-1: 1c85894ba12227c864d54992f32ef435b2a15160 SHA-256: c2c1af7acc406790256c4b4d5103ec3c934ef94be2b792d235d2e54c578485d3
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains embedded OLE objects, and the \objupdate heuristic indicates that these objects are designed to be activated automatically upon opening. This suggests an attack pattern leveraging OLE object vulnerabilities to execute arbitrary code. No specific malware family could be identified, and the document body was unreadable, limiting further analysis of the exact payload or lure.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ddf.bin
6602ad70c8f3f75da15c73507f1ccbc1aabe2f8cbb9e24c415b7cd4c6689cac9		 rtf-objdata-decoded RTF \objdata at offset 0x1DDF 1721 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.