Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ee92032a43cedfb1…

MALICIOUS

RTF / .DOC

10.3 KB
MD5: 572c4cfc806ae3033ae80c2cf7de5d75 SHA-1: 73b37311dbbea1b58d77f5540a700983be4f107b SHA-256: ee92032a43cedfb12e3ec7d611dae48e94920dfdfcc8b9444d0c4dc50e981de9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses \objupdate, indicating an attempt to exploit OLE object activation. This suggests the file is designed to deliver a payload via an embedded object, likely through a social engineering lure. No specific family could be identified, and no further IOCs were extracted.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001267.bin
a31a35919fa62d2d46f61b7707c8011afe40180ef5aa9d1357093b0732d79633		 rtf-objdata-decoded RTF \objdata at offset 0x1267 1828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.