Malicious RTF — malware analysis report

Static analysis result for SHA-256 0d637c61a4d19c55…

MALICIOUS

RTF

387.0 KB First seen: 2025-02-09
MD5: 3841830371a2a35e712d43507806b8c8 SHA-1: 0792f1c5edd51247c5562f3b8ee0dd130cc6fa91 SHA-256: 0d637c61a4d19c5558140fb82d345a30fa8642917cf903d8aa3cfcf30a4a52f3
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to activate embedded objects. The document body explicitly instructs the user to 'click Enable editing from the yellow bar above,' a common lure to bypass security settings and enable malicious content. This suggests the file is a dropper intended to download and execute a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000156cc.bin
fcc4301eba3758bb0be9bdf8044f2242fa713e5987ac174a6bdcea71e03bdea2		 rtf-objdata-decoded RTF \objdata at offset 0x156CC 1793 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.