Malicious RTF — malware analysis report

Static analysis result for SHA-256 b23950daed79806b…

MALICIOUS

RTF

11.7 KB
MD5: ae9106420314ade0d675a91bf7789ec0 SHA-1: 9764daa8f3353e3dd32036d866e2df375ac4c6d1 SHA-256: b23950daed79806bfc1f12aae7f189dcf7b0d606f9d1576a152a94b79da7b317
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses automatic linking and update mechanisms, indicating an attempt to embed and execute external content. The heuristics suggest a malicious OLE object is present, likely intended to exploit vulnerabilities or deliver a secondary payload upon opening. No document body or script content was available for further analysis, limiting the ability to determine the exact nature of the payload or its specific family.

Heuristics 3

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000089c.bin
081ca37cac2f41285035785ed6d5013bda60340da2622e808953959a8cff4c8f		 rtf-objdata-decoded RTF \objdata at offset 0x89C 3669 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.