Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d94a751fae5806c3…

MALICIOUS

RTF / .DOC

92.2 KB
MD5: 955dc7cf2818404f245a04d8a9775a27 SHA-1: a291a60bd6e80654ec77c98d2880b6b660bd72c9 SHA-256: d94a751fae5806c337378fffd7cc8ca579853983a57364f77b31de5048136c32
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The sample is an RTF document containing OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated automatically, likely to execute a payload. While no specific document body text or scripts were provided for analysis, the presence of these RTF-specific heuristics strongly points towards a malicious document designed to exploit OLE object activation for payload delivery.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001f9d.bin
5e69a54dc2819c50304e59a6198d3b86b99c5f455540e9012d30fb5995c8ba85		 rtf-objdata-decoded RTF \objdata at offset 0x1F9D 4677 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.