Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9345675a0d403682…

MALICIOUS

RTF / .DOC

2.0 KB
MD5: 5b6a2caa770a49973320f77b4a002664 SHA-1: a72de598594e4ee3a674cb504af90afceb289927 SHA-256: 9345675a0d403682f8a90076ca645698f0fafcd9ce86069ae7e67f7706b0dda2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The RTF file contains embedded OLE object data and uses an \objupdate directive to force OLE activation, indicating it's designed to execute embedded content. ClamAV detection as 'Rtf.Dropper.Agent-6965217-0' strongly suggests a dropper functionality. The lack of document body text means the specific lure is not discernible, but the technical indicators point to a malicious OLE object execution.

Heuristics 3

  • ClamAV: Rtf.Dropper.Agent-6965217-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-6965217-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000022.bin
dec63d828a858925d352082fe846a052e9b4ca1a8e11835ae75f862a80ebe427		 rtf-objdata-decoded RTF \objdata at offset 0x22 928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.