Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d50292c66c695356…

MALICIOUS

RTF / .DOC

27.2 KB
MD5: 62cd1a6e1427e66d911941b545251126 SHA-1: 04c1b80a8d22499d7a372b4a57348f8d72e42e16 SHA-256: d50292c66c6953566156be623fa4e7afece26ed2612a268ebe5b98fbf3cd2a3c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The file is an RTF document containing OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that the embedded OLE object is designed to be activated, likely leading to the execution of malicious code. The lack of readable document body text or scripts prevents a more detailed analysis of the specific payload or delivery mechanism, hence the confidence is moderate.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001303.bin
d01e39698c9afee7da56386423701762e822dcbb31a0c115d73313fd651d2c6b		 rtf-objdata-decoded RTF \objdata at offset 0x1303 2269 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.