RTF / .DOC malware analysis — malicious · c0e7a1ca3d7bc1f0

MALICIOUS

RTF / .DOC

506.7 KB

MD5: afe44ea039bd80ef98946f68173194c3 SHA-1: 92b62c2cba884b7d6c960a3c5c6e5e38837796f6 SHA-256: c0e7a1ca3d7bc1f08a7a407473cca961088d60e43adb2c5f78d381c3b930a31e

129 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this OLE object is designed to be activated, likely leading to the execution of embedded malicious content. The extracted artifact 'objdata_00_off000012fb.bin' is highly suspicious and likely contains the second-stage payload. The lack of readable document body text or scripts makes it difficult to determine the exact lure or final payload, hence the 'unknown family' designation and moderate confidence.

Heuristics 3

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000012fb.bin` `5ed57b38afe4b612dadfbaf009c4824643613f63141629c27bb4ef2dc61e9854`	rtf-objdata-decoded	RTF \objdata at offset 0x12FB	128575 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.