Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fc748c990c915d1c…

MALICIOUS

RTF / .DOC

12.0 KB
MD5: 2982dd709e4bb12f221cc01a0fb12451 SHA-1: 318fbf5d5269b790662f66cca5e3efe40dad873c SHA-256: fc748c990c915d1cea0bce8300f268b29f00e219a76e974a466e4c0b17215c38
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to exploit OLE activation mechanisms. The heuristics strongly suggest that this is a technique to embed and automatically execute malicious content. Without a document body or script content, the exact payload and delivery mechanism cannot be definitively determined, leading to a lower confidence in family attribution.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c44.bin
e3499ab2db049d26db0bc61b15862e9d2577c837739e7cdd75f0411ec8961033		 rtf-objdata-decoded RTF \objdata at offset 0x1C44 1922 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.