Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f436a7d24e4b2815…

MALICIOUS

RTF / .DOC

195.3 KB
MD5: 950f0734ac6623139f1f2a9e47a3a1a4 SHA-1: cbfae052699690ac8a55431376794762f0821d51 SHA-256: f436a7d24e4b281535742fa8a60ed7eadb0ed5bc186d43c716b7a4dc7a8272be
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The sample is an RTF document containing embedded OLE objects, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that these objects are automatically activated upon opening. While no specific document body content or scripts were extracted, the presence of these heuristics strongly implies an exploit targeting OLE object activation to deliver a secondary payload. The exact nature of the payload and delivery mechanism remains unclear without further analysis of the embedded objects.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000fb5.bin
d7049005e1280ec8ae7b255a834505cd7db35cc5706ecee0cd34e8c08e5f7da0		 rtf-objdata-decoded RTF \objdata at offset 0xFB5 1913 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.