RTF / .DOC malware analysis — malicious · 7f867ffa506daf33

MALICIOUS

RTF / .DOC

1.71 MB First seen: 2023-10-10

MD5: b4263ab4382edf798231ec076a069f65 SHA-1: c2da119da3711b3882bacb0e14aff7d734ce59a7 SHA-256: 7f867ffa506daf331cbbf77d987570c56a345d33c37ba3706f575a6deaa1f9d0

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains a large OLE object with excessive hex data, a common technique for obfuscating embedded payloads. The \objupdate directive indicates an attempt to automatically activate this object, suggesting it's designed to execute malicious code upon opening. No specific family could be identified, but the technique points to a downloader or exploit dropper.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1793KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000008a.bin` `ba95de40508b8e530de7e2790f27272dd8430f05448b9a27327c8b9da9873e21`	rtf-objdata-decoded	RTF \objdata at offset 0x8A	896651 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.