Malicious RTF — malware analysis report

Static analysis result for SHA-256 d30e87fdd4d55320…

MALICIOUS

RTF

82.3 KB First seen: 2025-08-13
MD5: 1a37f60d72b1a1eafad214d23101eccc SHA-1: 8146bf3f1452962cab0771d0eace60aae19b03a9 SHA-256: d30e87fdd4d55320cb1c56d33013a2567dea5675847e91c307f133a9ec7ec63e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation mechanisms. While no specific exploit or payload is directly visible in the provided excerpts, these indicators strongly suggest a malicious intent to execute code upon opening. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000019e4.bin
a829158d72bb6a3a7986dc2c25c072457d46d7d8b9ac56c5b601d8289589886d		 rtf-objdata-decoded RTF \objdata at offset 0x19E4 4226 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.