Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0857a8d13d35ce41…

MALICIOUS

RTF / .DOC

7.4 KB First seen: 2023-01-06
MD5: 9b79ef0f858c2369fc85fc2ec341bb7b SHA-1: 0c29a9d5e1087050660c78423b5d5d72ce084dcc SHA-256: 0857a8d13d35ce4155c3bf20d43ca5417642dba1fa9cd62a6826156db83509f4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF document contains OLE object data and an objupdate directive, indicating an attempt to activate embedded content. The document body explicitly instructs the user to 'enable editing' to view the document, a common social engineering lure to bypass macro security settings. This suggests the file is a dropper designed to execute malicious content upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001170.bin
c8c11ec00120aa274f5e2ca0e07ed5b1091c51fa3baebaca949b242c0a4abdab		 rtf-objdata-decoded RTF \objdata at offset 0x1170 1484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.