Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c0ded1fae7b9bc04…

MALICIOUS

RTF / .DOC

350.3 KB
MD5: 8a7e277713541edcba685f7548b0120f SHA-1: 34a7472b682f6eb4d2d2e60c44639130f6152d2a SHA-256: c0ded1fae7b9bc0422ae464c86d6cc2e64d7536a3f660d91c521ca52db6d0d21
129 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The file is an RTF document containing OLE object data and an object update trigger, indicating an attempt to execute embedded content. The heuristic firings suggest exploitation of RTF object embedding and update mechanisms. While the specific payload is not directly visible, the presence of these indicators strongly suggests a malicious intent to deliver and execute further stages.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018bf.bin
55f0c4c96e022fd81a8af9e8be92ad3e52bcd39fd64b77b1f19b28051112f27b		 rtf-objdata-decoded RTF \objdata at offset 0x18BF 64067 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.