Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 09f02661c7afedf0…

MALICIOUS

RTF / .DOC

614.5 KB
MD5: 1d02448bc5eb674c43877d2564ef2aa0 SHA-1: 7beef8f1365a66fdd6040592425fa043426b3b90 SHA-256: 09f02661c7afedf014299e225d001f45d1e25bafc11141b835cdc5ad964f8b19
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE vulnerabilities. The document body explicitly instructs the user to 'click Enable editing from the yellow bar above,' a common lure to bypass macro security. This suggests the file is designed to exploit vulnerabilities and execute embedded content, likely a macro, to achieve its malicious objective.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001a172.bin
741719267e2eae66289e97ac9912f62ccf9b4d3efce6455007304a181fc5908d		 rtf-objdata-decoded RTF \objdata at offset 0x1A172 3716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.