Malicious RTF / .EXE — malware analysis report

Static analysis result for SHA-256 f753e2dd667fe827…

MALICIOUS

RTF / .EXE

164.6 KB Authoring application: Msftedit 5.41.21.2509
MD5: c81205d8bb1c66294989579163f340a6 SHA-1: c12bd1ece0a03244c4525e7e7c05d5ed07d1748c SHA-256: f753e2dd667fe827ff082b0a457a09414ef7f52ab16d1713e9fe69a740570eb1
140 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Side-Loading

The RTF document contains an embedded OLE object, identified as a package object class. Further analysis reveals a PE header within the OLE object's data, indicating it is a Windows executable. This suggests a technique where a malicious executable is embedded within a seemingly benign document to bypass initial security checks.

Heuristics 4

  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000d2.bin
8f9d12d3dc7a5a330c468527231df21007cd2007f79a911b01d27ebb70aa7e02		 rtf-objdata-decoded RTF \objdata at offset 0xD2 78307 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.