Malicious RTF — malware analysis report

Static analysis result for SHA-256 ed3a856909f7bffd…

MALICIOUS

RTF

141.1 KB Authoring application: Msftedit 5.41.15.1515
MD5: 152e35dddfb1b74513d7aa73f28ec653 SHA-1: fe79c0b0833bf5f8d74c6144760e9f0d28bbe326 SHA-256: ed3a856909f7bffdf25c3cc3595f5bfa0cc1f58610ab85608181fbc0c6307f74
140 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking T1204.002 Malicious File

The RTF file contains an embedded OLE object that has been identified as a PE header in hex data. This strongly suggests the RTF is a container for a malicious executable. The presence of OLE object data and a package object class further supports this, indicating a technique to disguise and deliver a payload.

Heuristics 4

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000e7.bin
0079e944a7b8eec2d6b604531c446c874153fb584171ef2c45acc6c601e554a6		 rtf-objdata-decoded RTF \objdata at offset 0xE7 70019 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.