RTF / .DOC malware analysis — malicious · 469a999081f85b62

MALICIOUS

RTF / .DOC

167.2 KB

MD5: 654f412f1aa61d7923a028d6fe44271d SHA-1: 20b4865d0acabc42bc9b7bb5c85828a95ec16788 SHA-256: 469a999081f85b628a17c458feaa87c21afa26376275c374551917bb50b0bb95

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this object is designed to be activated automatically, likely to exploit a vulnerability. The extracted artifact 'objdata_00_off0000005b.bin' is the payload of this exploit. No document body text or scripts were available for further analysis.

Heuristics 3

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000005b.bin` `0d9fa266a1a9929c06e6dae72f2686a1b9ab2ff1dc7d261c3909272842d701ac`	rtf-objdata-decoded	RTF \objdata at offset 0x5B	85456 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.