Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 df2af94093db69e0…

MALICIOUS

RTF / .DOC

51.9 KB
MD5: 548c6eca4b67f24d2687110e7d0162fa SHA-1: 5f71b39ccaf8c490dde9d5bb32e7453e490ff3b2 SHA-256: df2af94093db69e06deef4e9b7796b4bab65b2d18f0f3fbc8eecd9b2db295fc7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and triggers an OLE activation event, indicating an attempt to exploit a vulnerability. The presence of the objdata section and the objupdate heuristic strongly suggest that the document is designed to embed and execute malicious content, likely leading to further stages of an attack. The SHA256 hash is provided as a primary indicator.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000fd7.bin
bba600929a30d4207863a5eb28e0186910fdee371f1dfd07f097ba829114631e		 rtf-objdata-decoded RTF \objdata at offset 0xFD7 1790 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.