RTF / .DOC malware analysis — malicious · 417f8b2393178401

MALICIOUS

RTF / .DOC

65.5 KB

MD5: 9a4c6f8cd94687efb06060b01c3d22c8 SHA-1: 77a6a3d8c4dc06f13a34cc91d077a08d49bca5c1 SHA-256: 417f8b23931784015c4e353ac9644af28d805e9cfeddab23fe1d5837d5f8801f

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object that is triggered by \objupdate, indicating an attempt to exploit a vulnerability. The presence of objdata suggests the exploitation of the Equation Editor vulnerability (CVE-2017-11882). The extracted artifact, objdata_00_off00000043.bin, is likely the payload or exploit code. The file is classified as malicious, and the techniques observed are consistent with delivering a secondary payload via an embedded object.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000043.bin` `6aed5300db8f56a40504059c4211aaf3331017425b6eebab273043d04cd35281`	rtf-objdata-decoded	RTF \objdata at offset 0x43	33398 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.