RTF / .DOC malware analysis — malicious · 4ea012231b4ce8f3

MALICIOUS

RTF / .DOC

162.7 KB

MD5: cb97b5224b96f15654c85db2f5400a3e SHA-1: a0bc0764659017f8409c93d4fc512688f5754b5f SHA-256: 4ea012231b4ce8f3c3ce194d3d7f8c5ab140048ccaa3eb9bdc530200a75d7302

147 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE object data and is configured to automatically update and activate these objects. This strongly suggests an attempt to deliver and execute a malicious payload. While no specific script or URL was directly extracted, the RTF object data is a common delivery mechanism for malware. The heuristics indicate a high likelihood of malicious OLE object activation.

Heuristics 4

Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000018dd.bin` `ea5786fd4369b94d451f2c06cc62cac73be619744b9872336359090528bbc6f3`	rtf-objdata-decoded	RTF \objdata at offset 0x18DD	64055 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.93, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.