RTF / .DOC malware analysis — malicious · 81b959953a7d9aee

MALICIOUS

RTF / .DOC

714.3 KB

MD5: b2c03731c7e88886c49ce4a37e95c92f SHA-1: ba617ecc10736d21bc2e45637d424c5bfb6f7e6e SHA-256: 81b959953a7d9aee5c2bf88e977cdf2a9e9bef99c04ba89c26671ade1e9619ec

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data that is automatically linked and updated, indicating an attempt to execute embedded content. The heuristic firings strongly suggest the exploitation of RTF parsing to activate an OLE object, likely a malicious payload. The extracted artifact 'objdata_00_off00000064.bin' is the most probable component of this attack.

Heuristics 4

Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000064.bin` `38da94ba67d2167d3a249b62219ad77b94a592a315e3d5b6e2b448cf41f9ee49`	rtf-objdata-decoded	RTF \objdata at offset 0x64	365517 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.