Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ed27c2e6a7141873…

MALICIOUS

RTF / .DOC

79.3 KB
MD5: 8ff08e5943f6494119b3c5ac11316d44 SHA-1: 59ab0d75eff4470f4a2d6754df8aabb2a5453e1c SHA-256: ed27c2e6a71418735c6d8bd9919f9138b948ad95bbae4ed8c27994b0eee35fec
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing OLE object data, as indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic specifically points to the ".objupdate" directive, which forces OLE object activation. This suggests the document is designed to exploit OLE object embedding to execute arbitrary code when opened. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or lure.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ff1.bin
776287b663a455bc2451c76775988f7676831f6dccfeeddef57cd7ae1885b106		 rtf-objdata-decoded RTF \objdata at offset 0x1FF1 4193 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.