Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fb9536272584329c…

MALICIOUS

RTF / .DOC

3.5 KB
MD5: d99ceb3c7f74e1aef9cf5b9c6fab21a9 SHA-1: a0434766ec18e38d7262994fcd18d01d4b41b2b6 SHA-256: fb9536272584329c624805aaa8a50b88b737a9e89a8430bbc8b5d0626dda17fb
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains heuristics indicating the presence of an OLE object that is set to automatically update and activate. This suggests the file is designed to exploit RTF parsing vulnerabilities or user interaction to execute embedded content, likely a secondary payload. No specific family could be identified, and no direct IOCs were extracted beyond the file itself.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000050.bin
86b71a31a270191e220756a80dfaf1eeabce8cefc0838753f035ca625ece53d6		 rtf-objdata-decoded RTF \objdata at offset 0x50 1660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.