Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a6258b46adfb734f…

MALICIOUS

RTF / .DOC

448.1 KB
MD5: 81171c87878db7a0a21cc56c95dfc1f1 SHA-1: cce276d1f0983fe7534b7b0648e85cc9b51b4dbc SHA-256: a6258b46adfb734f248d3aa3d0f7b57c0d1a5bbfde1e8eb665d6ee21548ec089
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE object activation. This suggests the file is designed to drop and execute a secondary payload, likely leveraging a known vulnerability. The extracted artifact 'objdata_00_off00001bc9.bin' is a key indicator of this malicious activity.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bc9.bin
1a303662ea3b7c81f357c5f3297443ddb35fd3660d26422e7f0b629b3a61e3f8		 rtf-objdata-decoded RTF \objdata at offset 0x1BC9 129069 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.