Malicious RTF — malware analysis report

Static analysis result for SHA-256 d4acdffe14d9a59e…

MALICIOUS

RTF

82.8 KB
MD5: 81ff174060ce706d9e3f3a3d9117a01f SHA-1: 46d07ff6a8ef26cf294eaf45d72f1eac28d78ee2 SHA-256: d4acdffe14d9a59e94f4488dcdad3abc2dce847a3f756a25b06fc23d42e8056b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The file is an RTF document containing OLE object data and an \objupdate directive, which forces OLE activation. ClamAV identifies this as 'Rtf.Dropper.Agent-7643114-0'. The presence of \objdata and \objupdate strongly suggests the document is designed to drop and execute a secondary payload. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 3

  • ClamAV: Rtf.Dropper.Agent-7643114-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-7643114-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001f4c.bin
0bd5d7166b1072c13f82c807fc278044636c90f78859c68215e003b11c46ee79		 rtf-objdata-decoded RTF \objdata at offset 0x1F4C 20628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.