Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d970136fe9331ffe…

MALICIOUS

RTF / .DOC

82.9 KB
MD5: e81e76fb3dc60e33f57cd05b18027a15 SHA-1: 88f70058ae7b47e162ae7112de55d3f58a3285bf SHA-256: d970136fe9331ffe11bf0c2a8dbea75bbc943aaf14887091d82d7e4fc6cd3721
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains embedded OLE object data and is configured to automatically update, indicating an attempt to exploit OLE vulnerabilities or trick the user into activating embedded content. The high-severity RTF_OBJUPDATE heuristic suggests that the embedded object is intended to be activated, likely leading to the download and execution of a second-stage payload. No specific family could be identified from the available heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d1d.bin
e0adcfa3d8e77510f4c1e73d4dd3825a6632c489993198ef72081dbbd42fd734		 rtf-objdata-decoded RTF \objdata at offset 0x1D1D 4197 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.