Malicious RTF — malware analysis report

Static analysis result for SHA-256 8f27025ffaeeee18…

MALICIOUS

RTF

13.0 KB
MD5: a0d02b6dc2e26567256399d38db3a1a2 SHA-1: 5ee7fde124c355eaa728d1dadda1e493a8c59819 SHA-256: 8f27025ffaeeee1857bb6c91f5f822f15a8c0bf27cd6bcf86f81fd3bb03c7fd5
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating it's designed to exploit OLE object activation. While no specific payload or URL was directly extracted, the presence of these indicators strongly suggests a malicious intent to execute embedded code or download a secondary payload upon user interaction. The confidence is moderate due to the lack of directly observable malicious actions beyond the OLE object embedding.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001fac.bin
3587f352988e37912f0ff235b26082ea302430334d6d0a6276fd3a5ef6836df8		 rtf-objdata-decoded RTF \objdata at offset 0x1FAC 1840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.