Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 123e017131920a89…

MALICIOUS

RTF / .DOC

691.5 KB
MD5: 386598b0639e3b9f2b943aeb5954d8d1 SHA-1: 603072ce6d60e1bfdfa70b7cf362b67585433b96 SHA-256: 123e017131920a89ddee398c18887d810768a4ff50b13c16c43f81237a91db5a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an RTF document containing OLE object data, which is a common technique for embedding malicious content. The heuristic 'SE_ENABLE_LURE' indicates the document explicitly instructs the user to enable editing and macros, a typical social engineering tactic. The presence of OLE object data and the lure suggest the document is designed to execute embedded code, likely a macro, to download and run a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00009a96.bin
bb5e6cfc55f8e8eef0ba13eff44c846280a159ae2e2405ec2e29d59c31faf725		 rtf-objdata-decoded RTF \objdata at offset 0x9A96 3713 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.