RTF / .DOC malware analysis — malicious · b136291a17e064dd

MALICIOUS

RTF / .DOC

896.0 KB

MD5: 138ab57f963695072c50dd6cbf5a2050 SHA-1: 83cf0888f144cd5dcc66b823689b093d06785856 SHA-256: b136291a17e064dd9d44cc454556980107d96da2a0adb1a31eb2db3531b6832a

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an OLE object with an \objupdate directive, indicating an attempt to automatically activate embedded content. This technique is commonly used to exploit vulnerabilities or deliver secondary payloads. While no specific exploit or payload was directly identified, the presence of these indicators strongly suggests a malicious intent to execute code upon opening.

Heuristics 3

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000066.bin` `f3456cda382f329c0114f10635c959ed12a1fce40ecbf2133fc5d0593e469ad8`	rtf-objdata-decoded	RTF \objdata at offset 0x66	458649 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.