RTF / .DOC malware analysis — malicious · 2a04279f27132355

MALICIOUS

RTF / .DOC

1.02 MB

MD5: 568ed60f1081c7b0050304350bd3741e SHA-1: 92a52a6059ec9e1967e85a9ff6ba766a84647a98 SHA-256: 2a04279f27132355cb5464ebe2f5f8d419fd1634a28c28bedb425e3b160a9c10

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains a large amount of hex-encoded data within an OLE object, indicated by the RTF_EXCESSIVE_HEX and RTF_OBJDATA heuristics. The RTF_OBJUPDATE heuristic suggests this object is designed to be activated, likely to execute a hidden payload. The extracted artifact 'objdata_00_off00000075.bin' is the decoded content of this object, which is the primary indicator of malicious intent.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1070KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000075.bin` `704064dd149769740886477a77f31e66301de96b587a706dbff05471928adaa6`	rtf-objdata-decoded	RTF \objdata at offset 0x75	535279 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.