Malicious RTF — malware analysis report

Static analysis result for SHA-256 a56c14acef1e0e2e…

MALICIOUS

RTF

384.1 KB First seen: 2026-06-21
MD5: 7f1b0127d24551139a44aa3e782e5b08 SHA-1: af7564ee7959142c3b0d9eb8129605c2ae582cb7 SHA-256: a56c14acef1e0e2e262b5670e539c0008fdb785edf3e96ef285017894b598596
282 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains multiple embedded OLE objects, a common technique for delivering exploits or secondary payloads. ClamAV detections indicate it is a dropper and exploits CVE-2015-1641. The presence of these embedded objects strongly suggests an attempt to exploit a client-side vulnerability upon opening.

Heuristics 6

  • CVE-2015-1641 related RTF Word ActiveX package critical CVE related CVE_2015_1641_ACTIVEX_RELATED
    RTF objdata decodes to a Word.Document.12 package with many identical ActiveX control parts and a single oversized, highly compressed activeX1.bin payload. This is exploit-family evidence for the 2015 Word memory-corruption/uninitialized-memory CVE set.
  • CVE-2015-1770 related RTF Word ActiveX package critical CVE related CVE_2015_1770_ACTIVEX_RELATED
    RTF objdata decodes to a Word.Document.12 package with many identical ActiveX control parts and a single oversized, highly compressed activeX1.bin payload. This is exploit-family evidence for the 2015 Word memory-corruption/uninitialized-memory CVE set.
  • ClamAV: Doc.Dropper.Agent-5489988-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-5489988-0
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000001f.bin rtf-objdata-decoded RTF \objdata at offset 0x1F 55 bytes
SHA-256: 7ff9ff29b79d0eb38813bfa0b0bb1c5b116d1f9e5468ae52674bb443468658d9
objdata_01_off000000e5.bin rtf-objdata-decoded RTF \objdata at offset 0xE5 49201 bytes
SHA-256: 7f29f2dc8b60c0e5a22575d9c76fd9c3d39604d1acf5cb4d938a63095c61a72e
Detection
ClamAV: Doc.Dropper.Agent-5489988-0
Obfuscation or payload: unlikely
objdata_02_off000187a0.bin rtf-objdata-decoded RTF \objdata at offset 0x187A0 31281 bytes
SHA-256: fe80d59686806afe3dc48f73d54b577558a7c871da17d08d937c5d7b3564e07b
Detection
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload: likely
Carved artifact entropy is 7.75, consistent with packed or encrypted content.
objdata_03_off0002802b.bin rtf-objdata-decoded RTF \objdata at offset 0x2802B 50737 bytes
SHA-256: 70ea7ef3bf9966c3297a4e78024e3083013558670d051c2ca3095e2588a576d8
Detection
ClamAV: Win.Exploit.Call4_Dword_Xor-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.