Malicious RTF — malware analysis report

Static analysis result for SHA-256 dea6b31d495a161c…

MALICIOUS

RTF

9.3 KB
MD5: e4c1efeefd11158e52eb0c16ccf1065c SHA-1: c03b9c4278a38709ea8580d567dd5c2d770a8d0c SHA-256: dea6b31d495a161c81709e32785a647b65e0f5d6e4da3a8a0636e5dc9c67d1c9
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects, and the \objupdate heuristic indicates that these objects are forced to activate. This suggests the document is designed to exploit OLE vulnerabilities to execute embedded code. While no specific script was extracted, the presence of OLE objects and the activation trigger strongly imply a malicious intent, likely to download and execute a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000108e.bin
7c8986e83b8f35c67715d1b0a8f17ccc41bc7f21e51bb4493f9476d66be2bc08		 rtf-objdata-decoded RTF \objdata at offset 0x108E 1834 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.