Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 32a024103510d3bc…

MALICIOUS

RTF / .DOC

310.4 KB
MD5: 5315a08422086cda999763363ac021e1 SHA-1: 13f01dc21a7158b6df60db85ebb5d35474893cc8 SHA-256: 32a024103510d3bc6bc15416a226a930aed25abd4bc7764ef2f672b88acf3b69
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains an embedded OLE object with a suspicious Equation Editor ProgID, indicating an exploit attempt. The ".objupdate" directive suggests that the OLE object is automatically activated upon opening, which is a common technique for exploiting vulnerabilities like CVE-2017-11882. The extracted artifact, objdata_00_off00001097.bin, is likely the second-stage payload. No specific family could be identified, but the attack pattern is consistent with exploit-laced documents.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001097.bin
9ac1e2fdd2f2714bdfb3b72d45f21925352dda39841ee0d9777284e1c547ccaa		 rtf-objdata-decoded RTF \objdata at offset 0x1097 156716 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.