RTF malware analysis — malicious · b87e5e9d1ada9064

MALICIOUS

RTF

4.87 MB Authoring application: Msftedit 5.41.15.1507

MD5: 58695a73b0093240632ef0e85a3c8020 SHA-1: 0a6facff7989744b32568a5fff0c9239f039a926 SHA-256: b87e5e9d1ada90648605a81e99d4657692d5308d8efd68791dffc4741bc0b8b4

180 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1137.001 DLL Search Order Hijacking

The RTF document contains multiple indicators of malicious OLE objects, including embedded objects and package objects. High severity heuristics indicate the presence of a PE header within hex-encoded data, strongly suggesting the embedded object is a payload. The file's SHA256 hash is included as a primary IOC.

Heuristics 5

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~3958KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000d1.bin` `809dc9311dd466a3f68db8657edcc985b4f001ac8169ae278466cd1ebeed48d0`	rtf-objdata-decoded	RTF \objdata at offset 0xD1	1929896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.