Malicious RTF — malware analysis report

Static analysis result for SHA-256 d4117443a89d53c0…

MALICIOUS

RTF

10.8 KB
MD5: aa5513fe0ee90e9d0f60bdb77c2988b1 SHA-1: 5202d3130e61356bcee8e0f7ff3449e066d5b76b SHA-256: d4117443a89d53c06a34738989637574edbc8ba8befc607b6895f239a65e88bc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to automatically execute embedded content upon opening. This is a common technique for delivering malicious payloads. While no specific document body text was provided for analysis, the heuristics strongly suggest an attack pattern involving the execution of embedded code, likely to download and run a second-stage payload. The SHA256 hash is included as a primary identifier.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001674.bin
521d7ccce0dc5ecee5f59a6f8f23589f53607477c66598c021a8c1ceef124035		 rtf-objdata-decoded RTF \objdata at offset 0x1674 1978 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.