Malicious RTF — malware analysis report

Static analysis result for SHA-256 95907bc7b85e0e00…

MALICIOUS

RTF

1.01 MB First seen: 2026-06-04
MD5: 9260e0ea4d3dbf1dcaccfde34a555580 SHA-1: 5a00623ebfea6dd4aad0ba41be00bb9364bc94f3 SHA-256: 95907bc7b85e0e0077d091ef4517929efb897bcc697bf9d9a61e6754e28694ac
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects and heuristics indicate a lure to enable macros or editing. The document body explicitly instructs the user to 'download the document and click Enable Editing when opening', a common social engineering tactic. The presence of suspicious extracted artifacts, specifically shellcode command strings and a binary file, suggests the embedded object is likely a payload dropper.

Heuristics 3

  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000966.bin rtf-objdata-decoded RTF \objdata at offset 0x966 267105 bytes
SHA-256: 4dade469e5a5934aa8c84e2eb990233d9c1448ef30e8df1253d423a6ea4a7396
objdata_01_off00007115.bin rtf-objdata-decoded RTF \objdata at offset 0x7115 267078 bytes
SHA-256: 554347d034133ccd32a130b46936314fd5066fae49f4cb3d95e3538267b7683e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell"")")

Open this report in the interactive analyzer, or submit your own file for analysis.