Malicious RTF — malware analysis report

Static analysis result for SHA-256 a2c01043de90dad3…

MALICIOUS

RTF

1009.1 KB First seen: 2026-06-04
MD5: f430f87dd5afc4edf09351a2dcf4ed8e SHA-1: bda3a5fcaeb1fbed88d951199aae20f2f166c0cb SHA-256: a2c01043de90dad36370254559407639364e95080101ff4ac9202e19c7187e33
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and instructs the user to enable editing and macros, a common lure for malware delivery. The presence of suspicious extracted artifacts, identified as shellcode command strings, further indicates malicious intent. The embedded OLE objects are likely payloads or components of a downloader.

Heuristics 3

  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000966.bin rtf-objdata-decoded RTF \objdata at offset 0x966 167982 bytes
SHA-256: 74b9f63bea7d95fa5a55cc46eb123fe992f1dffabe1eee69649b4fd6520e091f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell"")")
objdata_01_off0000514d.bin rtf-objdata-decoded RTF \objdata at offset 0x514D 167968 bytes
SHA-256: 38eb8b5015d60306d831efb88e38fe72241a76902d94811203fd7f11c6f08b9c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell"")")