Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fc14a975c31a68f2…

MALICIOUS

RTF / .DOC

4.0 KB
MD5: 7532a3a3291d1bd5a4655da759a685c7 SHA-1: a96841398f024961086ecfe47ef857898e58ddfd SHA-256: fc14a975c31a68f2100c7464e259fc2112418682f702cbc952fa42155a5bf2df
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects, indicated by RTF_OBJDATA and RTF_OBJEMB heuristics. The RTF_OBJUPDATE heuristic suggests that these objects are designed to be activated automatically, likely leading to the execution of malicious code. Without further script or body content, the exact payload and delivery mechanism remain unclear, hence the unknown family and moderate confidence.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000054.bin
bd877b3ab3cc6e8b860fe899f3ebb504fb802b78ed8c0018d1050dc85abcee22		 rtf-objdata-decoded RTF \objdata at offset 0x54 1909 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.