RTF malware analysis — malicious · 8b5dc629aed7255c

MALICIOUS

RTF

152.5 KB Authoring application: Msftedit 5.41.15.1515

MD5: 113c454d8bbdae086eda60688eeb3ae5 SHA-1: a91e6be1434ac0683bac3895bd285e9c9f9e0956 SHA-256: 8b5dc629aed7255c1611c97290e3abb0f4fc42e653cb3c14abc1a8658de55cf2

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The RTF document contains embedded OLE objects, including a package object and PE header in hex data, indicating it is designed to deliver a payload. The document body text, 'clique sobre as letras pequenas para ficar GRANDES', suggests a social engineering lure to encourage user interaction. The presence of a PE header within the RTF structure strongly implies the embedded object is an executable payload.

Heuristics 5

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000122.bin` `c1d1f3e5740c86d711dee81a477e9672b3cfc63e3fba4ffb3fab8bca7acfc69b`	rtf-objdata-decoded	RTF \objdata at offset 0x122	69771 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.