Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f925056e4012cd83…

MALICIOUS

RTF / .DOC

88.6 KB
MD5: a8abfb9ee0c5db89c670e227d7820225 SHA-1: 5fa4c05415e1b82ae68094c881372dffd26ec2f4 SHA-256: f925056e4012cd831e37a531cc0f6e6b1c7d94436fcbc53058bf9ab510b15cb0
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to activate embedded objects. This is a common technique for delivering exploits or payloads. Without further script or body content, the exact nature of the payload cannot be determined, but the heuristics strongly suggest an attack vector leveraging OLE object activation.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000142a.bin
88814ac10171a4bd15f23f82abd2407a024b7d77504a32f59dc7c2dcf8e3eddf		 rtf-objdata-decoded RTF \objdata at offset 0x142A 4282 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.