Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 14bc9eb88aeb83fb…

MALICIOUS

RTF / .DOC

512.3 KB
MD5: d5c47c3c40110d31d71d47ebef9ba981 SHA-1: f811b3cd634c20c39a42d758cf0ee5da16a73ab5 SHA-256: 14bc9eb88aeb83fb929a6e97225d7022f6a1919016a6722409903abd39e842a1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to activate embedded objects. The document body instructs the user to 'Enable editing' and discusses financial audits, serving as a lure. The presence of OLE objects suggests the execution of embedded code, likely a macro or exploit, to achieve malicious objectives.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0002bf36.bin
9853db976503660a4afa7c24be42c1b7b42e241b20e39f97a9860bd777033413		 rtf-objdata-decoded RTF \objdata at offset 0x2BF36 1764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.