Malicious RTF — malware analysis report

Static analysis result for SHA-256 19cb38547f3fd2c5…

MALICIOUS

RTF

8.9 KB
MD5: ea44293388c94214e2617547991eda3f SHA-1: 0b49fb3b1884ad3af79ff1722fb5df8d77e60eaa SHA-256: 19cb38547f3fd2c587aea5193730165d1e0706324b79c9cd60c809a23d73497a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The file is an RTF document containing OLE object data and an \objupdate directive, which forces OLE activation. This suggests the document is designed to exploit vulnerabilities or deliver malicious content through embedded objects. No document body text or scripts were available for further analysis, limiting the ability to determine the specific payload or delivery mechanism. The heuristics strongly indicate a malicious RTF file designed to leverage OLE object activation.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000149f.bin
74181c82268f727907b632337a3e4c8ad4fc197ee1243fb8ec09119ca8cbd945		 rtf-objdata-decoded RTF \objdata at offset 0x149F 1765 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.