Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fe889ee3ba45f9c1…

MALICIOUS

RTF / .DOC

87.6 KB
MD5: c746fbb948abb7a439256fc73b1ea36b SHA-1: 833b369ff82e05bfe3f63ceef353ddb70a405aeb SHA-256: fe889ee3ba45f9c1f9d7fbaddba932fb76cb75f8f0c3e36f524075ca29565084
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses automatic linking and update mechanisms, indicating an attempt to exploit vulnerabilities or activate embedded objects. While no specific payload or script was directly extracted, these heuristics strongly suggest a malicious intent to execute code upon opening. The lack of readable document body text or scripts limits further analysis of the exact delivery mechanism or payload.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001e17.bin
81c9d485d6d34bfe496af289682b3382c737e3a2ac1bb7be189716b49d4c36ed		 rtf-objdata-decoded RTF \objdata at offset 0x1E17 4758 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.