Malicious RTF — malware analysis report

Static analysis result for SHA-256 4af88e30dd378fac…

MALICIOUS

RTF

56.9 KB First seen: 2026-06-06
MD5: 49124cddb864e154f4b9da60d8fc829b SHA-1: d0ac6316f3355e352b74e68d0c1d79a7be43a2f4 SHA-256: 4af88e30dd378fac94e15697d4a4b59394e8e2cb3dc4f01ce200c6b57ec113bc
120 Risk Score

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001199.bin rtf-objdata-decoded RTF \objdata at offset 0x1199 1821 bytes
SHA-256: 1c1693e4cba751698c58fae8d66f0014389ab71866d8b56cabaa810f1a2bd5ef

Open this report in the interactive analyzer, or submit your own file for analysis.