Malicious RTF — malware analysis report

Static analysis result for SHA-256 0a365db1f11c241e…

MALICIOUS

RTF

20.1 KB Authoring application: Msftedit 5.41.15.1507
MD5: 9b23fad452af16f7d678ccbe9a201653 SHA-1: 9c87b656227dce1207213360d5f3e7012b224785 SHA-256: 0a365db1f11c241ea344fea8c151bcea82cc496005b44d40ee616c13bf127eb6
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects, including a package object and PE header in hex data. This strongly suggests the file is designed to deliver a malicious executable payload to the victim. The embedded object is likely intended to be executed upon opening, leading to further compromise.

Heuristics 4

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000e9.bin
2e89b780d882f9f92fe300d6f03a6d920f87eb76320294ae45b356561317096f		 rtf-objdata-decoded RTF \objdata at offset 0xE9 6167 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.