Malicious RTF — malware analysis report

Static analysis result for SHA-256 2e1e058ab664282b…

MALICIOUS

RTF

161.0 KB First seen: 2025-03-20
MD5: f30321ea573da6df80e3cea1cc7474e5 SHA-1: 057be00c9f27267677197e48425226e282cb1d3d SHA-256: 2e1e058ab664282b6bbe0cab7304dca2f71fa0773226c7bdb86219eeaf1a598f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and a heuristic firing for \objupdate, which forces OLE activation. This strongly suggests the file is designed to exploit vulnerabilities associated with OLE objects, likely leading to the execution of a secondary payload. No document body or script content was available for further analysis.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016f1.bin
7bfa606d38374914007c3f20204e809d9a060aacd0478e7d571ae57f45a0f891		 rtf-objdata-decoded RTF \objdata at offset 0x16F1 4694 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.