RTF / .DOC malware analysis — malicious · 1fdc2e0cc63c9ec3

MALICIOUS

RTF / .DOC

1007.2 KB First seen: 2023-09-29

MD5: ed8594b20e148abdaccf94a426b1a622 SHA-1: 7778eae252b0508f9723286d1984f051373b9862 SHA-256: 1fdc2e0cc63c9ec3d8ef30dd56ad226a255eb4189dee5b35daa1ebf15ec3e9f0

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains a large amount of hex-encoded data within an OLE object, indicated by the RTF_EXCESSIVE_HEX and RTF_OBJDATA heuristics. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated, likely to execute a hidden payload. The presence of a large, suspicious embedded artifact points to a malicious document designed for payload delivery.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1031KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000008d.bin` `ac4876259000720b3c43ac483268bab372e1c94e9df9d52369caaf073351e2f5`	rtf-objdata-decoded	RTF \objdata at offset 0x8D	515552 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.