Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 1da34455989dadfb…

MALICIOUS

RTF / .DOC

378.4 KB
MD5: 4adaf3044316865d0670dd8aa3be5e36 SHA-1: 15f404f28616f19444b0b5ebdaa4bf571443a726 SHA-256: 1da34455989dadfba2aab3cccfcfeff66cbc9fffe571c4782183ad7e2e14d1a6
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects and uses an objupdate directive, which are common techniques for delivering malicious payloads. The heuristics indicate the presence of embedded OLE objects and an update mechanism designed to trigger their activation. While no specific script was extracted, the structure strongly suggests an attempt to execute embedded code upon opening.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000008df.bin
a7c7fa12fdbbd0c6c7cad6ad643381c3a022c97fe236c5c213e8809f51139085		 rtf-objdata-decoded RTF \objdata at offset 0x8DF 128568 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.