RTF / .DOC malware analysis — malicious · 80509c950f98590d

MALICIOUS

RTF / .DOC

568.5 KB

MD5: 86e99042a326023d8405f97cd56298de SHA-1: c3f09bc42875fd6b1a26d4fb147502a02b17676f SHA-256: 80509c950f98590d01dc28538d4238d8f7df6b45bed9ee43aa374388ea31a2a3

129 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data and triggers an object update, indicating an attempt to exploit a vulnerability. The presence of `RTF_OBJDATA` and `RTF_OBJUPDATE` heuristics strongly suggests a malicious OLE object is embedded. The `objdata_00_off00000d4a.bin` artifact is the decoded content of this object, likely containing shellcode or a dropper. The attack pattern is inferred from these indicators, pointing towards a malicious attachment designed to exploit Office vulnerabilities.

Heuristics 3

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000d4a.bin` `e614928706737170aeaaf8ae2fc183d78408b1cdf5ae7490fca6bdc1a7b3a3fb`	rtf-objdata-decoded	RTF \objdata at offset 0xD4A	128585 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.