Malicious RTF — malware analysis report

Static analysis result for SHA-256 4bc7b8fded24a280…

MALICIOUS

RTF

8.2 KB
MD5: 79448c02d4b2b2e220122144474ee234 SHA-1: 5260a71629c84e7e092cf9734cf105729483e661 SHA-256: 4bc7b8fded24a280c35ebce0b4cecc83725e655ed1c983a5e8ac10e29aabd379
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects and triggers OLE activation via \objupdate, indicating an attempt to execute embedded code. The presence of RTF_OBJDATA and RTF_OBJEMB heuristics strongly suggests the file is designed to exploit OLE object handling. While no specific payload or URL was directly extracted, the structure points to a downloader or exploit delivery mechanism. The document body was heavily obfuscated and unreadable, preventing further analysis of the lure.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000fb9.bin
73691a4231e7c0abcf84ceb5c483971fa04c7af54ce579256365a275ba00ee8f		 rtf-objdata-decoded RTF \objdata at offset 0xFB9 1566 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.