Malicious RTF — malware analysis report

Static analysis result for SHA-256 8bc21f0131d5a9bd…

MALICIOUS

RTF

207.7 KB
MD5: 37e0e3e9c9d844246400ba3fdb1e58a8 SHA-1: 948ba9862714dcb0a1cb79592f9b1bff99035758 SHA-256: 8bc21f0131d5a9bdfeac9656247a152ab211bfb5541e68d3aeda2b5b9033c35f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating it is designed to exploit OLE object activation vulnerabilities. The heuristic firings strongly suggest that embedded OLE objects are present and intended for execution. The extracted artifact 'objdata_00_off0000007a.bin' is likely the payload. The document body content is not indicative of a specific lure.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007a.bin
c9edbcb48c78bd9748a05e2302a331f643a22d8a3aa06b9de71a5af806d475ee		 rtf-objdata-decoded RTF \objdata at offset 0x7A 82053 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.