Office (OLE) / .RTF malware analysis — malicious · c8734e6c353bd99e

MALICIOUS

Office (OLE) / .RTF

155.3 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: accf6ac59c96181d856ea62174d23183 SHA-1: c1a90ce3c0d357119d5ccc032a978037362288b1 SHA-256: c8734e6c353bd99ef4f0bb9e688835383c52fb36d8872ce78b7604a363b4a714

80 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking

The file is an OLE document with a significant amount of slack space, and it contains an ObjectPool disguised as an RTF file. This suggests an attempt to hide malicious content or exploit a vulnerability within the OLE structure. The document body is heavily obfuscated and unreadable, providing no direct clues about the intended lure. The heuristics indicate a sophisticated method of file manipulation, likely for exploitation.

Heuristics 2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 158,980 bytes but its declared streams total only 94,801 bytes — 64,179 bytes (40%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE ObjectPool in file named RTF high OLE_OBJECTPOOL_CONTAINER_DISGUISED_RTF

File is an OLE compound document named .rtf and contains ObjectPool embedded-object storage, suggesting a disguised Word/OLE container with embedded object attack surface.

Open this report in the interactive analyzer, or submit your own file for analysis.