Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d97fb29b37ae2eef…

MALICIOUS

RTF / .DOC

505.4 KB
MD5: 7c80d5c0b2e49ac7e3c926af0f90462f SHA-1: 466e4e6b20cc9320207d2f4e249ec1d1988aa830 SHA-256: d97fb29b37ae2eef33eb0329313f73fb174504fc185caf15e032b3ec14fea4d1
129 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an ".objupdate" directive, indicating an attempt to embed and activate an object. The heuristic firings strongly suggest exploitation of RTF parsing vulnerabilities to execute embedded content. While no specific script or URL was directly extracted, the presence of OLE object data points towards a downloader or exploit delivery mechanism. The lack of readable document body text and scripts limits further analysis of the exact payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000dc1.bin
fc8f481b22dd1de87c90169acbe0b8bff918d7e372aec733eadc6801741f5c37		 rtf-objdata-decoded RTF \objdata at offset 0xDC1 128559 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.