Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e143c3dc18b3bcb9…

MALICIOUS

RTF / .DOC

9.4 KB
MD5: 6fc44a613b209a994e653625ca7daeb2 SHA-1: 7f84bfd68dc4c7194122d0079f2749c4199ebf80 SHA-256: e143c3dc18b3bcb9ccfaeef675f4e198ab1c3fda6cdf5f52e68d894b761f44a4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that the embedded OLE object is designed to be activated, which is a common technique for delivering malicious payloads. No document body or script content was available for further analysis, limiting the ability to determine the exact nature of the payload or its family. The primary IOC is the extracted OLE object data file.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001213.bin
31f972c7ac29f329dc20f4be97fae16b9382e64f01dd075333612949dba4226f		 rtf-objdata-decoded RTF \objdata at offset 0x1213 1562 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.