Office (OLE) / .RTF malware analysis — malicious · 96d4f8d912cd3644

MALICIOUS

Office (OLE) / .RTF

254.5 KB

MD5: c30646001864a15820729be2133286ba SHA-1: b775fbbd9dc92125950c46b96c91891da62bd209 SHA-256: 96d4f8d912cd364431bd36b35b7d16b2e5295510d6aa8ec6601233858b73be71

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The RTF file contains an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. The presence of NOP sleds and references to WinExec and ShellExecute APIs suggest the embedded executable is designed to perform arbitrary code execution. The large slack space in the OLE structure is also anomalous. The document body text is benign and appears to be unrelated religious content, indicating a likely lure to disguise the malicious embedded payload.

Heuristics 6

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 260,618 bytes but its declared streams total only 95,053 bytes — 165,565 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00032a00.exe` `4990afa7cb9205a6bf62976af54f060cb06ee129d8ed8a472ba02a3346bddd32`	embedded-pe	Office MZ+PE at offset 0x32A00	53258 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.