Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d9182b673c5ec1a4…

MALICIOUS

RTF / .DOC

82.5 KB
MD5: 7c99eb78afaa1fc3fd5cd0c5574d04ec SHA-1: fa459c96675e17db982be318cff5832d8907cb05 SHA-256: d9182b673c5ec1a4f81c3fb50dc6e18154ea851ef2ee396ab0fa767d1c774074
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains embedded OLE objects, and a ".objupdate" directive is present, indicating an attempt to trigger OLE activation and exploit a vulnerability. This suggests the file is designed to execute arbitrary code upon opening. No specific malware family could be identified, and no document body or script content was available for further analysis.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000011d0.bin
abcade55931fbceee4b58adbadf85533cfa7fd2a687bcb2842d1badd360f9ed0		 rtf-objdata-decoded RTF \objdata at offset 0x11D0 4301 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.