Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fa644a9c4ff432a0…

MALICIOUS

RTF / .DOC

126.1 KB
MD5: 4ea29590a0f49e9de68444ac464cad72 SHA-1: 1b349b984166288c7131277dea5645a4fc12caf0 SHA-256: fa644a9c4ff432a040215e80321890e1c6dfdf9d097ee7ee8e2f1e72ac7c259d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The file is an RTF document containing OLE object data and an \objupdate directive, indicating an attempt to execute embedded content. While no specific script or document body was extracted for detailed analysis, the presence of these RTF-specific indicators strongly suggests a malicious intent, likely related to exploiting OLE object handling for initial access. The SHA256 hash is included as a primary identifier.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014a1.bin
e86b9551dafd781ba0510b91fad0a79c218c3e5e7b74f77db8db8bd12338fec3		 rtf-objdata-decoded RTF \objdata at offset 0x14A1 3649 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.