Malicious RTF — malware analysis report

Static analysis result for SHA-256 af742d16f37f3dd3…

MALICIOUS

RTF

13.9 KB
MD5: d3d1074304d996e4a5373a6898a1630b SHA-1: 5229eeb27a9d2f40f63247c6ca8ad2e071accfbb SHA-256: af742d16f37f3dd390a31994dd299a448c4ecc78032c7cd9fa55be7307f216cf
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and triggers an \objupdate event, indicating an attempt to exploit a vulnerability. The presence of embedded OLE objects strongly suggests a malicious intent, likely to download and execute a secondary payload. While no specific family is identified, the techniques used are common for initial compromise.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ef5.bin
9ffdf1f5d00d4881f28d0a264b6b6343b3fb7bf9d7b73e40e3fee8d47894f6b8		 rtf-objdata-decoded RTF \objdata at offset 0x1EF5 2247 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.