Office (OLE) / .RTF malware analysis — malicious · a2b80bea6e5f7a2d

MALICIOUS

Office (OLE) / .RTF

204.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: a4c633bb65757a5fc9586b02a1e375de SHA-1: 9d3084373f8bd424f739ccb2612e5570fb6bde04 SHA-256: a2b80bea6e5f7a2d7870b9eb84228c3e94eab8f2cf92f4e0161de919bd9c8c5b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is an RTF document disguised as an OLE object, which is a common technique for delivering malicious content. The large slack space in the OLE structure suggests obfuscation or the presence of embedded malicious code. While no specific scripts or URLs were extracted, the heuristics strongly indicate a malicious RTF file designed to exploit a vulnerability upon opening.

Heuristics 2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 209,739 bytes but its declared streams total only 94,801 bytes — 114,938 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE ObjectPool in file named RTF high OLE_OBJECTPOOL_CONTAINER_DISGUISED_RTF

File is an OLE compound document named .rtf and contains ObjectPool embedded-object storage, suggesting a disguised Word/OLE container with embedded object attack surface.

Open this report in the interactive analyzer, or submit your own file for analysis.