Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c81c9e51e67f4fe9…

MALICIOUS

RTF / .DOC

239.7 KB
MD5: b7379f6afbf9ca5197dbe313f83255f3 SHA-1: a34b2ab90af8ce9d6fb390f92247250e14ed7dc6 SHA-256: c81c9e51e67f4fe95a80ef4bb8ec3d6f9a485994088f4686498d5643858982a9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and an objupdate directive, indicating an attempt to embed and activate external content. While no specific document body text or scripts were provided for analysis, these heuristics strongly suggest a malicious intent to exploit OLE object handling for payload delivery. The confidence is moderate due to the lack of more specific indicators like URLs or script content.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000017fb.bin
3ee3f17ee3ba76ef62795794c83ba569e1348b59ff789298b534259fe05fd53f		 rtf-objdata-decoded RTF \objdata at offset 0x17FB 69228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.