Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e1d889d6efff6f44…

MALICIOUS

RTF / .DOC

3.3 KB
MD5: 0f79510062a47b17fb4f44252852061e SHA-1: de8f0a9c80cad2d357530e2dcc0bd67860210a7e SHA-256: e1d889d6efff6f448c07931c08a7cd69cda77aeb77afebbe9d4f9c86f68147c6
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The file is an RTF document containing OLE object data and an ".objupdate" directive, which strongly suggests an attempt to exploit vulnerabilities related to OLE object activation. This technique is commonly used to deliver and execute malicious payloads. While no specific family is identifiable, the method points towards a downloader or exploit-delivery mechanism.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000043.bin
b0b5b36e2c7f324a41e8db74b1718095db8ec415c1d0a3b982dadbe4cb5486d0		 rtf-objdata-decoded RTF \objdata at offset 0x43 1579 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.