RTF malware analysis — malicious · fb19842d4c58e754

MALICIOUS

RTF

531.4 KB

MD5: a7028b2e09413934c5292b83bc5c1d29 SHA-1: 60de03a6e0d78d9f04db429c37533e1df4939865 SHA-256: fb19842d4c58e75484f33e41c6b938548cb9d3df39955a7ed063b57d69e5e49a

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The RTF file contains OLE object data and a \objupdate directive, which are strong indicators of malicious intent. ClamAV detected this as Rtf.Dropper.Agent-7626023-0, suggesting it acts as a dropper for other malware. The embedded OLE object, objdata_00_off0000168f.bin, is likely the payload. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 4

ClamAV: Rtf.Dropper.Agent-7626023-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Dropper.Agent-7626023-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000168f.bin` `e0f5dada46660b8586ef8b53d7ff9141f14c38cafd4de65f82f45bad4c361870`	rtf-objdata-decoded	RTF \objdata at offset 0x168F	269170 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.