Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e6429752834e2a3e…

MALICIOUS

RTF / .DOC

381.2 KB
MD5: 3492839faeb9dcbeee57dd06c747dd04 SHA-1: 5288dcf9432c91b8895a84d444cc6b7828c058d1 SHA-256: e6429752834e2a3ecc1df3b5052defdc6ad2d3130785e7040db7d8aecfc1c35d
129 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, indicated by the RTF_OBJDATA heuristic. The RTF_OBJUPDATE heuristic suggests that this embedded object is designed to be activated, likely leading to the execution of malicious code. The presence of a suspicious extracted artifact (objdata_00_off00000b5c.bin) further supports this. The attack pattern involves leveraging OLE object activation to bypass initial security checks and deliver a payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b5c.bin
9bf9814736f2de209b8d2bb11282d5beee2d3dcc5f2aa13f3421fccfc040a306		 rtf-objdata-decoded RTF \objdata at offset 0xB5C 64586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.