Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f82b872fa9df727a…

MALICIOUS

RTF / .DOC

192.9 KB
MD5: a7eb501502e680277ea4b3263c3561a5 SHA-1: b3c05220a0adc6fca8d169f99b888d98997ec6a6 SHA-256: f82b872fa9df727a5ed2e21bdb969f9281794fea16ad1d21ff2318cf3293fcd3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and triggers an \objupdate event, indicating an attempt to exploit OLE activation. This technique is commonly used to embed and execute malicious content, such as a second-stage payload. The file's SHA256 hash is provided as a primary IOC.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c1b.bin
c7a983ab17518ba7b13be534e22f28c2fad1293835c7029b91ff47b97f1b2d69		 rtf-objdata-decoded RTF \objdata at offset 0xC1B 1909 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.