RTF / .DOC malware analysis — malicious · 25188a30346b0e19

MALICIOUS

RTF / .DOC

1.06 MB First seen: 2023-09-06

MD5: 07f759791ce8247b94da005fc48ad2d7 SHA-1: 89b60d7cb03459f112ae65c744150378c768717b SHA-256: 25188a30346b0e19351aaa4db07181dadf7d1dcf26f300f992c0d37a289f2016

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1047 Windows Management Instrumentation

The RTF document contains a large OLE object with excessive hex-encoded data, strongly suggesting it is used to hide a malicious payload. The \objupdate directive indicates an attempt to automatically activate this embedded object upon opening. No document body or script content was available for further analysis, but the presence of the OLE object and the RTF structure are indicative of a downloader or dropper.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1110KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000008f.bin` `f404fef4a0eb68ef68001adebb6b1c95ddeef4411dfc7cc466c0a7867fef0003`	rtf-objdata-decoded	RTF \objdata at offset 0x8F	555459 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.