Malicious RTF — malware analysis report

Static analysis result for SHA-256 bcec79683d37cd07…

MALICIOUS

RTF

197.7 KB Authoring application: Msftedit 5.41.15.1507
MD5: b96dd2553df92b27027e59d86fceb28d SHA-1: ee600b514cfd0f9b98b48b75f39c5bcceea4ec85 SHA-256: bcec79683d37cd0743bfc8ddf04c07e1d4a09e01c7d6e44122267a32ff61739e
140 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model T1137.001 DLL Search Order Hijacking

The RTF file contains multiple OLE objects, including a package object that embeds executable content. The presence of a PE header within the hex data strongly suggests that these embedded objects are intended to deliver a malicious executable payload. No document body or scripts were extracted, limiting further analysis of the specific lure.

Heuristics 4

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000e8.bin
e0e9818f59897aceee0d7c94f4e64a3f629e025b0f57c0548dfd39cd893d91cf		 rtf-objdata-decoded RTF \objdata at offset 0xE8 6066 bytes
objdata_01_off00004fe9.bin
0a729a8b3df2b5019c2d8b0d2fd8c07d5a400153ff36f45a3a7275dbe9677a46		 rtf-objdata-decoded RTF \objdata at offset 0x4FE9 6066 bytes
objdata_02_off00009eea.bin
a6b7f8690d274327e6dda005f28db356a31b52d8ac9b6f572f5971fa11da05c2		 rtf-objdata-decoded RTF \objdata at offset 0x9EEA 6066 bytes
objdata_03_off0000edeb.bin
09d376d9ba701f903ed637339f979c887ed278d7c09f35e939e2b58da96a1498		 rtf-objdata-decoded RTF \objdata at offset 0xEDEB 6066 bytes
objdata_04_off00013cec.bin
c66fa198e0d8c2f8f50a88b824f8f02bfb61e6d8d0781a8318e612ffca9c0231		 rtf-objdata-decoded RTF \objdata at offset 0x13CEC 6066 bytes
objdata_05_off00018bed.bin
5270782cb044dbe878c1367940fd06b3f9c51af8d15fd42965b1de5f601d25d9		 rtf-objdata-decoded RTF \objdata at offset 0x18BED 6066 bytes
objdata_06_off0001daee.bin
881487ce5357e4745f6c966aede30bfd001cfd4ac8f6911b2690d89c58a7185e		 rtf-objdata-decoded RTF \objdata at offset 0x1DAEE 6066 bytes
objdata_07_off000229ef.bin
21c32083673b93a9b1e2c5f969f2a61598044bafc234730c588b8f377cb78bd0		 rtf-objdata-decoded RTF \objdata at offset 0x229EF 6066 bytes
objdata_08_off000278f0.bin
b1c02fa9d53a83a023ddd323a5f7e08b3d61f8f94382e54269234dd03480968e		 rtf-objdata-decoded RTF \objdata at offset 0x278F0 6066 bytes
objdata_09_off0002c7f1.bin
6f190139d7d68ca3d45696d7fc87e3afa2f7d677ad84cc96037e36a138840d17		 rtf-objdata-decoded RTF \objdata at offset 0x2C7F1 6066 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.