Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c8939b5b38669715…

MALICIOUS

RTF / .DOC

500.5 KB
MD5: c1e8633211a6892faeb35be608782c31 SHA-1: 2087132d603b101950bb56394ab1490fd251dce6 SHA-256: c8939b5b38669715169c9be9c145268e148d86202b10b44d161ab456217ed330
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The file is an RTF document containing embedded OLE objects, with a high-confidence heuristic indicating that \objupdate forces OLE activation. This suggests the document is designed to exploit vulnerabilities in how RTF handles embedded objects, likely to execute arbitrary code. The presence of objdata and objemb heuristics further supports this. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the RTF object exploitation is a strong indicator of a malicious downloader.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000164f.bin
8ea383f018c1ac8de04b51534f5722d7da02fa7ed92139a5b2a31045c550b968		 rtf-objdata-decoded RTF \objdata at offset 0x164F 19317 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.