Malicious RTF — malware analysis report

Static analysis result for SHA-256 9f94f61759b69060…

MALICIOUS

RTF

675.6 KB
MD5: 1239854d603dfaf0d332ba7551d98b4e SHA-1: 5e4070dcac6dc3601a37cfd372e38c7274a23d41 SHA-256: 9f94f61759b69060d4690bddc51bf0ff15d6c103779355b2399e039cf0b0cba7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one specifically triggering an update that forces activation. This suggests an attempt to execute embedded code. The extracted artifact 'objdata_00_off0000001a.bin' is flagged as suspicious, potentially containing script execution terms. While the exact payload is not fully discernible from the truncated script, the overall structure points to a malicious OLE-based attack. The confidence is moderate due to the lack of complete script visibility.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000001a.bin
283da8180dc723471201ee7e913a5258242bd514645ac85f52c285aec4b12b4c		 rtf-objdata-decoded RTF \objdata at offset 0x1A 344151 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
objdata_01_off000a80f7.bin
6ef048de06e9c2e6b420e78a489e52123766b08549a074a5f95b98ffe8558f38		 rtf-objdata-decoded RTF \objdata at offset 0xA80F7 1709 bytes
objdata_02_off000a8107.bin
8935eb605040753f89379b3f05c2cdaefba833ec64299ed9c258020f4c1217b0		 rtf-objdata-decoded RTF \objdata at offset 0xA8107 36 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.