Malicious RTF — malware analysis report

Static analysis result for SHA-256 ade5415fffa0bdc8…

MALICIOUS

RTF

1.13 MB Authoring application: Msftedit 5.41.21.2510
MD5: 7f88817c4db6b9b29eb80c8f35fe29c5 SHA-1: f57c4744dd93d21ef255a3cd8582d7bdb39012e0 SHA-256: ade5415fffa0bdc8141453a9e343ebc7c022fdf99d85ae1f9c4c89ccbda00d46
161 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model T1204.002 Malicious File

The RTF document contains multiple OLE objects, with one specifically triggering an \objupdate command, indicating an attempt to activate embedded content. High amounts of hex-encoded data within these objects suggest a hidden payload. No document body text or scripts were extracted, making the exact nature of the payload and delivery mechanism unclear.

Heuristics 5

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1150KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005b00.bin
4610110257ea105c2c44f75b0d91f8d05f6e9897e1056d946ec756c01081ad66		 rtf-objdata-decoded RTF \objdata at offset 0x5B00 575216 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off0011e906.bin
d89d1ed3e6c8322b3dec22e79ac09461e5bb54f4daa294233cd63563b61fecf3		 rtf-objdata-decoded RTF \objdata at offset 0x11E906 6847 bytes
objdata_02_off0011e920.bin
7e7c57c30159408a972fc99e493a946683f509c437669fd61bef77f933bc105c		 rtf-objdata-decoded RTF \objdata at offset 0x11E920 6843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.