Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 cc8c9f5b7a3a6d04…

MALICIOUS

RTF / .DOC

88.2 KB
MD5: 801e4d123e935445e5f5109c8150b397 SHA-1: 4ac2d5c8ee6b47fc76fb222d22ae818db3a445b1 SHA-256: cc8c9f5b7a3a6d049cdb9a484fb0f39b0cf8d7f73dfc78b495c9580a93363f64
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The file is an RTF document containing embedded OLE objects, with heuristics indicating the use of \objdata and \objupdate. This suggests the document is designed to exploit OLE object activation to run embedded code. While no specific script was extracted, the presence of OLE objects strongly implies an attempt to execute a payload. The SHA256 hash is included as a primary identifier.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bdb.bin
73b6849effdd33eeea5e3f156af9c36fa3c9bc51e91b1b0b6e6c44f2acfd32fb		 rtf-objdata-decoded RTF \objdata at offset 0x1BDB 4685 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.