Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 49e18c78c0faa3d4…

MALICIOUS

RTF / .DOC

173.8 KB
MD5: 6dc4add353911daadca13884a3a8d08a SHA-1: 947e3fb081ac3b86610aa678f98c9ac0a112910c SHA-256: 49e18c78c0faa3d42c04c86be761480865e7fbeece7d5096481c265323d27127
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object handling vulnerabilities. This suggests the file is designed to deliver a malicious payload when opened. No specific family could be identified, and no external IOCs were extracted.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000073.bin
1507c07e9d24a13d77cd62547d6c4e83192e422c2539ab058437e85c912d0681		 rtf-objdata-decoded RTF \objdata at offset 0x73 88802 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.