RTF malware analysis — malicious · 5a4805a897cb3cb5

MALICIOUS

RTF

171.3 KB Authoring application: Msftedit 5.41.15.1507

MD5: 371fd57e3fd78711ed5f06490428309e SHA-1: 828803a88161d66563ededfb7ce89bebdb362a0c SHA-256: 5a4805a897cb3cb59ce4572885fe38ba398e7cca07ada53d073a204accd1c7d9

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object, identified as a package object, which in turn contains a PE header in its hex data. This strongly suggests the RTF is a container for a malicious executable payload. The embedded artifact, objdata_00_off000000d4.bin, is likely the dropped executable. The primary attack pattern is likely spearphishing attachment, leading to client execution via the embedded payload.

Heuristics 5

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d4.bin` `cb8e0f84dd7315b42c777e55b9afb27fd647ddedbfb99de84ee1e20de6ae4f12`	rtf-objdata-decoded	RTF \objdata at offset 0xD4	85135 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.81, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.