RTF / .DOC malware analysis — malicious · 926abc64d1247534

MALICIOUS

RTF / .DOC

1.21 MB First seen: 2023-07-26

MD5: a5950b5128669c9349a93cbcd7d0c737 SHA-1: a57afb24cc49a483f3aab2718cf9aacedc629f89 SHA-256: 926abc64d12475346a3ab12abc5bbe66ff4b679dc270ab7f9160e3dc3f03f2e5

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The RTF file contains a large amount of hex-encoded data within an OLE object, indicated by the RTF_EXCESSIVE_HEX heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated automatically. This points to a likely attack pattern involving a hidden payload within the OLE object, intended to be executed upon opening the document.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1273KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000008b.bin` `787a94f7ad6c4942c3d6eb22d92c83a00f73f619f1b4bef071466ab9f192c655`	rtf-objdata-decoded	RTF \objdata at offset 0x8B	636630 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.