Malicious RTF — malware analysis report

Static analysis result for SHA-256 3b095c3cc630f4d7…

MALICIOUS

RTF

11.3 KB
MD5: c2e71c44b7a06d503935fb2e6c7286bc SHA-1: 32997da932d565e97c0eb8ba9dd50f8d358985af SHA-256: 3b095c3cc630f4d7c8c3f00627ef721047fa91ab86c65ee5d4fb07489574c6f1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The RTF file contains OLE object data and uses the \objupdate directive, indicating an attempt to exploit OLE object activation for malicious purposes. While no specific document body content or scripts were extracted to detail the exact payload or delivery mechanism, the presence of these RTF-specific indicators strongly suggests a malicious intent, likely to download and execute a secondary payload.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b17.bin
83364e8b88e07f7d1c9d37a9d4bb67ee2932568a4d9c814d45f2096db03cabf5		 rtf-objdata-decoded RTF \objdata at offset 0x1B17 1674 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.