Malicious RTF — malware analysis report

Static analysis result for SHA-256 e5e1d72cc6c9b975…

MALICIOUS

RTF

8.8 KB
MD5: 5e9633bff54872322857e754abebd6ff SHA-1: 214042cce6718bda9ff4d9631483b8be4ca8aaed SHA-256: e5e1d72cc6c9b97503fa2d43df4f1da20c97dd1803d86b0ae90312bac9cd0c04
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit embedded OLE objects. This is a common technique for delivering malicious payloads. While no specific script was extracted, the heuristics strongly suggest the file is designed to trigger an exploit, likely leading to the download and execution of a second-stage payload. The SHA256 hash is provided as a primary IOC.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014bf.bin
9c52e6dcfe0611ca22178a44fbd259502ea596693791b7b38962f5ceec230483		 rtf-objdata-decoded RTF \objdata at offset 0x14BF 1676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.