Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ed0af10c135f953a…

MALICIOUS

RTF / .DOC

11.6 KB
MD5: e3d32174d143f46aaf7b43e6862486a6 SHA-1: d935eb9f53e0abface9c121fbd7e49a25937711b SHA-256: ed0af10c135f953a2099dee2aad9ef39fbd2c4b942a0bbeaea1e1bfe341a0d7c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and is configured to automatically update and activate these objects. This suggests an attempt to exploit OLE vulnerabilities or trick the user into activating embedded content, likely for malicious purposes. While no specific payload or script was directly extracted, the heuristic firings strongly indicate a delivery mechanism for a secondary exploit or malware. The confidence is moderate due to the lack of a directly observable payload.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c43.bin
93b05a5d0e90fde420fe20592446ed8acd647ea28636f124014ae03c7b7919d3		 rtf-objdata-decoded RTF \objdata at offset 0x1C43 1697 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.