Malicious RTF — malware analysis report

Static analysis result for SHA-256 05a290dc38d9c9c0…

MALICIOUS

RTF

145.7 KB
MD5: 8a89c6289c87e518d75a252c4d41d678 SHA-1: 80b2fe8cb322e844f8efd9a73fd19cdbd7d61819 SHA-256: 05a290dc38d9c9c0d8b063151cb4db3f3dd672139bc1de573782ea7e43897bc8
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects, one of which is identified as a Package object. Critical heuristics indicate the presence of a PE header within hex data, suggesting an embedded executable. The document body contains what appears to be a filename, '.exe', further supporting the presence of a malicious executable.

Heuristics 4

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000002c0.bin
d477ee7f83b2a7d93b891f96e4e679ef41fa22b45e232a26e873144ef8fde371		 rtf-objdata-decoded RTF \objdata at offset 0x2C0 68663 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.