RTF malware analysis — malicious · dc31b6add11a4d93

MALICIOUS

RTF

361.2 KB Authoring application: Msftedit 5.41.21.2509

MD5: 0e472c119f40d8b1c714395f2f6357f7 SHA-1: d9309e5b99ee6a2a49848443d57ddd7f4fd5ab26 SHA-256: dc31b6add11a4d93c02f08e3fc0c422f47034659155559459d7c3104f22b5b53

140 Risk Score

Malware Insights

MITRE ATT&CK

T1559 Component Object Model and Distributed Component Object Model T1559.001 Component Object Model and Distributed Component Object Model: Component Object Model

The RTF file contains embedded OLE objects, specifically a package object, which is a strong indicator of malicious intent. The critical heuristic firing for an MZ header within hex data suggests that a Portable Executable (PE) file is embedded, likely serving as the payload. The file's SHA256 hash is included as an IOC.

Heuristics 4

PE header (with DOS stub) in hex data critical RTF_MZ_HEX

Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000123.bin` `f62a584572befecb22b7a9cbda5cce4a1af7ad591e05229a7dd87d7cc9608b36`	rtf-objdata-decoded	RTF \objdata at offset 0x123	176440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.