Malicious RTF / .OLE — malware analysis report

Static analysis result for SHA-256 575c6b83dc27d675…

MALICIOUS

RTF / .OLE

117.6 KB
MD5: 1b7b32a3c7e63c942739e79ce8cd6763 SHA-1: c440696eb93ec323d68b81e1386addaab18fec70 SHA-256: 575c6b83dc27d675dbb398591804e9a788b6ae312b02ccb5e842c4b6af0818e2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The RTF document contains embedded OLE object data and a \objupdate heuristic firing, indicating that the document is designed to automatically activate and execute embedded content when opened. This is a common technique for delivering malicious payloads. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific payload or lure.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015ed.bin
2df4ada2c17d655916de0e4f2859eea2c99e0086d9d06064f77aecb7ae46aafe		 rtf-objdata-decoded RTF \objdata at offset 0x15ED 36642 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.