Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ef9b9cf79a9b1a36…

MALICIOUS

RTF / .DOC

3.7 KB
MD5: 4807ddde975dab384cbd2fbe9d8bc30a SHA-1: 1aa800ce109205d2be0c25fef8deb530eb888ac0 SHA-256: ef9b9cf79a9b1a36edb597b15253eeb9ba7a86bbe44f7fcf915dc0bc9c903593
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing embedded OLE object data, which is indicative of an exploit attempt. The high-severity RTF_OBJUPDATE heuristic suggests that the embedded object is designed to be activated automatically, likely triggering the execution of malicious code. While no specific scripts or URLs were extracted, the presence of OLE object data strongly suggests a delivery mechanism for a secondary payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000043.bin
abacf6d6d9fae4049edae855bee1cd595308b23b9bd5b7f04e9025ee200a135c		 rtf-objdata-decoded RTF \objdata at offset 0x43 1757 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.