Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 cd59e5461fa2964d…

MALICIOUS

RTF / .DOC

14.0 KB
MD5: c1bbf899e0c6d2a97dab683bb9b379b8 SHA-1: 1e8e074cb3bb1f957744e0816bdc5703436235c4 SHA-256: cd59e5461fa2964d9dccafc6d88b1df5152315c658b8c7fdf5e1f14f481095ef
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains embedded OLE object data and triggers an OLE object update, indicating an attempt to exploit a vulnerability. The presence of `objdata` sections and the `RTF_OBJUPDATE` heuristic strongly suggest that the document is designed to activate embedded content, likely for malicious purposes such as downloading a secondary payload. No specific family could be identified from the available heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000008c5.bin
5faf55c6d7d11e50327ef75ebe92a61570c350f516f1176ad00fbae9f4d567ce		 rtf-objdata-decoded RTF \objdata at offset 0x8C5 1597 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.