Malicious RTF — malware analysis report

Static analysis result for SHA-256 90711bce85f1e493…

MALICIOUS

RTF

11.3 KB
MD5: e8d56e4076174e591fca50e690cbe90d SHA-1: 5a664f4db895c940e373443dafcd8d074a35ed67 SHA-256: 90711bce85f1e493a168dc52e9b725240fc96e8356e24b6618c77c624ced0ded
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE object activation. While no specific document body content or scripts were extracted for direct analysis of the payload, the heuristics strongly suggest a malicious intent to execute embedded content. The presence of \objupdate at offset 0x1A24 is a high-confidence indicator of exploit execution.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001830.bin
13a3a2798a124d15d4449dd6ccd080fe9bdf1bd14feab7664143a7ee6e33e0a8		 rtf-objdata-decoded RTF \objdata at offset 0x1830 1972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.