RTF / .DOC malware analysis — malicious · fda6905b52e31be0

MALICIOUS

RTF / .DOC

1.31 MB First seen: 2023-07-19

MD5: b115afe0e3b6cfcfd998ef6e75f0cf10 SHA-1: 10e03fbd6789cd287443e4fd9c38e2bdfa93837b SHA-256: fda6905b52e31be00c704e3e972f070e1be6d10156b3a450cc5c5cdde3539776

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains a large OLE object with excessive hex-encoded data, strongly suggesting it hides a payload. The \objupdate directive indicates an attempt to force OLE activation, likely to trigger an exploit. No document body text or scripts were extracted, but the presence of the OLE object and the heuristics point to a malicious document designed to deliver a secondary payload.

Heuristics 4

\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1373KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000008b.bin` `ca4b765b1b1fd5009237e330944db1a4ef27240468b8a0137e1214ea90034d8a`	rtf-objdata-decoded	RTF \objdata at offset 0x8B	686953 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.