Malicious RTF — malware analysis report

Static analysis result for SHA-256 60387fa70e35e1e1…

MALICIOUS

RTF

83.0 KB First seen: 2025-08-01
MD5: 8ff98020e484772841571c29d3ed026e SHA-1: 42d2a8d6742bbfa01585f7af513013bbd865c1ac SHA-256: 60387fa70e35e1e1c1a2d5d7544a7b3e4cbf39da35427b1ce4f9c3a8ec5ca185
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses an \objupdate directive, indicating it's designed to trigger OLE object activation. This mechanism is commonly used to embed and execute malicious code, often to download and run a second-stage payload. The embedded OLE object, objdata_00_off00001cd7.bin, is the primary artifact facilitating this attack.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001cd7.bin
96272590aa5ad5772c33bc0d7d22bd5667c85d1f2642194452e11269f5d09afb		 rtf-objdata-decoded RTF \objdata at offset 0x1CD7 4257 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.