Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f67387e1bff728ce…

MALICIOUS

RTF / .DOC

228.2 KB
MD5: 0b2a1fc54f56bc436b44782c3f67e031 SHA-1: f65e7fdc10c629b546c68fbebc9f1409db6afe4a SHA-256: f67387e1bff728cea494de95e850fdddfb45a80a3e6d1449635fbad7154e9859
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The file is an RTF document containing embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. This suggests an attempt to exploit a vulnerability related to OLE object handling within Microsoft Office applications. The presence of OLE object data and the activation trigger strongly point towards a malicious exploit delivery mechanism. Without further script or body content, the exact payload and delivery method remain partially obscured, leading to a moderate confidence score.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001532.bin
ea5fcff57e31c816c046694ec28222cbd512e5c163f9abf78f959a79f841a7e0		 rtf-objdata-decoded RTF \objdata at offset 0x1532 3637 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.