Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 edd8567fa4060b87…

MALICIOUS

RTF / .DOC

512.1 KB
MD5: 754153b11a3b8a25db0d9e1119340622 SHA-1: 157bdd7cd56850d1b27d0162406516914f13c432 SHA-256: edd8567fa4060b87c36d5a82cdf56fbe28e41e2f62daaf3342ced979934f68b7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating it's designed to trigger the execution of embedded objects. This is a common technique for delivering malicious payloads via document files. No specific family could be identified from the available heuristics.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006f.bin
b661898cdd3eb14635358d83970a34c36b2cc119c6fca245346c9973055cbe06		 rtf-objdata-decoded RTF \objdata at offset 0x6F 36766 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.