Malicious RTF — malware analysis report

Static analysis result for SHA-256 c6965ed29b749ef4…

MALICIOUS

RTF

78.2 KB First seen: 2026-06-22
MD5: 0ec626cae3404fc758050ee2d6394f20 SHA-1: 72c99b2aff41ccaf69b1bc107543d365bef7f0e9 SHA-256: c6965ed29b749ef46f509d22dde18112146ea8653f3ddb4b8927684c2f0bf8b2
80 Risk Score

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000184e.bin rtf-objdata-decoded RTF \objdata at offset 0x184E 4175 bytes
SHA-256: f7975652dca9920975f592b88ce68d7ecba1296e8e5727255de14b5f46e87e2d