Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 cf95b81f5fedd8ad…

MALICIOUS

RTF / .DOC

524.2 KB
MD5: e082db0a038f15195d47bc66b5917e42 SHA-1: 5039c632b372f49a3f90d0251363e962da885910 SHA-256: cf95b81f5fedd8ad83452f1b21ec1d9169262c13e3be309085c171d663a73fde
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing OLE object data and an \objupdate directive, indicating it's designed to exploit OLE vulnerabilities for code execution. The high-severity heuristic firing on \objupdate strongly suggests this mechanism. Without further script or body content, the specific payload and delivery method remain unclear, leading to an unknown family classification.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000074.bin
fc6b8d28883b9b3f1a16a9ec2d77c9af576ed9a39458e198f3b35ba8ca0be979		 rtf-objdata-decoded RTF \objdata at offset 0x74 56629 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.