Malicious RTF — malware analysis report

Static analysis result for SHA-256 ec7d55fc74bf46aa…

MALICIOUS

RTF

403.3 KB
MD5: 3f0246c5a61b81417163692cee6ea7e7 SHA-1: 372ce04c3b92563bafb2c9b7b5fd90adc0a341f3 SHA-256: ec7d55fc74bf46aa6a0f23b77b4890da0463d7324bcb9d83713a7651586a2242
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The RTF file contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE activation for code execution. The embedded OLE object, when decoded, is a binary blob of significant size, suggesting it may contain a payload or exploit. While no specific script was extracted, the heuristics strongly suggest a malicious intent to leverage embedded objects for compromise. The SHA256 hash is included as a primary identifier.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f5c.bin
1e7d5e125d13f5b5eff2351cdf581ff83b8b7376a718bb1ab75e3ad4640592b2		 rtf-objdata-decoded RTF \objdata at offset 0xF5C 122213 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.