Malicious RTF — malware analysis report

Static analysis result for SHA-256 b04bd10f84354b44…

MALICIOUS

RTF

11.5 KB
MD5: 2759d6c45398de5b5886de6572c31752 SHA-1: ce4ebbd697899b2c022394927b81e90101e5fb7a SHA-256: b04bd10f84354b44fccb137bd139b28b4477b73cecf07b62ef5150e735bac4be
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF file contains OLE object data and an object update trigger, indicating an attempt to execute embedded content. The heuristics suggest a malicious OLE object is present, likely intended to exploit vulnerabilities or deliver a payload. Without further script or body content, the exact execution flow and final payload remain undetermined, leading to an unknown family classification.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000157a.bin
69797d84eda2fcdbb777faa4a4d7e582fc15fe58ffb6f2146102aa7937f9ac0e		 rtf-objdata-decoded RTF \objdata at offset 0x157A 2304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.