Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f948b2b958ebafca…

MALICIOUS

RTF / .DOC

89.0 KB
MD5: 9edf6b0ba778decb22f1ead826cd8458 SHA-1: 92e3a71930c469dfdc5afecd9755c61dbd0aaf7d SHA-256: f948b2b958ebafca27409c59835ba02cd4406b17549206c143c0d6a7dd7a3552
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF document contains OLE object data and a \objupdate heuristic firing, indicating it's designed to trigger OLE activation upon opening. This suggests an attempt to execute embedded malicious content. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a8b.bin
ae47beca66383740bc1c9fcaf0a16d7d98004b18248208ee0a3fc7adcc33274d		 rtf-objdata-decoded RTF \objdata at offset 0x1A8B 4179 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.