Malicious RTF — malware analysis report

Static analysis result for SHA-256 72144467c0aa47ae…

MALICIOUS

RTF

145.8 KB First seen: 2025-02-24
MD5: 22b0e65a9f5c91abcb6e19ef38f6ec14 SHA-1: f3256e426e1032d5604d3fc5ad5ce330fe63369b SHA-256: 72144467c0aa47aef8e8fdcaa7a8faab45ad6ad2776055c28bc2efc131c1e353
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and uses \objupdate, indicating an attempt to exploit OLE object activation. This suggests a malicious document designed to deliver a payload. The lack of readable document body text or scripts prevents a more specific determination of the attack's immediate goal or family.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bfe.bin
2ad9b2d7aa400ecfb51cc6fb1453777cd99dc6836b494dc8d61f801978f26240		 rtf-objdata-decoded RTF \objdata at offset 0x1BFE 4176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.