RTF / .DOC malware analysis — malicious · b6a6ff003727e8fe

MALICIOUS

RTF / .DOC

319.3 KB

MD5: eaf353f50d090caa75e67f05393c8717 SHA-1: 9dcea91cea5313f75f69ad255fd919497d418904 SHA-256: b6a6ff003727e8fe59a6d10a4ea5fa4b066e15cd0ecba552c4d7d3d08da0d986

192 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects that are automatically linked and updated, indicating an attempt to execute code upon opening. The heuristic firings strongly suggest the exploitation of OLE object vulnerabilities. While no specific script was extracted, the presence of the OLE object data points towards a malicious payload delivery mechanism.

Heuristics 4

Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000176b.bin` `9b5703c27923a11fc9f89a096202f1086f97d8b303a99d12c4fa20725029b1b1`	rtf-objdata-decoded	RTF \objdata at offset 0x176B	64060 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.93, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.