Malicious RTF — malware analysis report

Static analysis result for SHA-256 af31e1fc29819a6d…

MALICIOUS

RTF

12.0 KB
MD5: b66e275e56b27791628f9b3af948ac61 SHA-1: bd9760cbb1f007712e57d993b4c117d39c466228 SHA-256: af31e1fc29819a6dc4d6240f856a3465aaff564fc5c2dff5788d5e8419f2e30e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating it's designed to exploit OLE activation to run embedded content. The heuristic firings suggest a malicious RTF document, likely a downloader or dropper. The SHA256 hash is provided as a primary IOC. Confidence is moderate due to the lack of specific script content or URLs to confirm the exact payload delivery mechanism.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b10.bin
c6c339613ae7b09abcd0cfa6bf021fcddf3e36c1472155ab0af55785d02f63f7		 rtf-objdata-decoded RTF \objdata at offset 0x1B10 1918 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.