Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 13c2953210f1096a…

MALICIOUS

RTF / .DOC

5.6 KB First seen: 2023-01-20
MD5: ee912fcf1ecfa66dca63864451cd81a2 SHA-1: dd8330fb287d2f462d40c43e36879e938dfdd936 SHA-256: 13c2953210f1096ad25c73a45e75c7a1775fc489658dc9ba3008ff969e8f2618
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The sample is an RTF document containing OLE object data and an instruction to enable editing, which is a common lure for macro-based malware. The presence of RTF_OBJDATA and RTF_OBJUPDATE heuristics indicates embedded objects that are likely malicious. The SE_ENABLE_LURE heuristic confirms the document's intent to trick the user into enabling content, facilitating the execution of a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000746.bin
66ba29e26d5cd491919fd1a8f8ec253acd28472cc2ffdd7dc41a21a247bcfa5a		 rtf-objdata-decoded RTF \objdata at offset 0x746 1865 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.