Malicious RTF — malware analysis report

Static analysis result for SHA-256 1a4ef62200ee36c2…

MALICIOUS

RTF

12.8 KB
MD5: 8264f0f80077c2bb7deca3f8c489bdbb SHA-1: 736c59bcb2f65a0575d9cdb19993a3336c246906 SHA-256: 1a4ef62200ee36c2b8c4dffff031cba842d2df0a51312708a062f744bded6ac5
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to embed and activate external content. While no specific document body text or scripts were provided for analysis, these heuristics strongly suggest a malicious intent, likely to exploit OLE vulnerabilities or deliver a payload. The presence of embedded URLs further supports a delivery mechanism.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a79.bin
b450970e184f1ae6c49bb166e8038cbfa86ff6bbc12efcfd7892b03ca3d27288		 rtf-objdata-decoded RTF \objdata at offset 0x1A79 1895 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.