Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0579aea7cd7104b6…

MALICIOUS

RTF / .DOC

570.8 KB
MD5: 7b1a52845bab969dca672246e6b2a39f SHA-1: 7cf2ead244ba2eaa89c640b006c9e3f5ce5691eb SHA-256: 0579aea7cd7104b69300532965c00f920aca1dd37fe028c980c98d3d41a718a9
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to exploit OLE vulnerabilities. The document body provides a lure related to financial audits, instructing the user to 'enable editing', a common tactic to bypass macro security. This suggests the document is designed to execute embedded malicious content, likely a macro, to achieve initial execution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00040806.bin
7283cb060cfe4c4bbc4f00aea27b98bc3fdb5eec94391462e794f440f892bd1e		 rtf-objdata-decoded RTF \objdata at offset 0x40806 1361 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.