Malicious RTF — malware analysis report

Static analysis result for SHA-256 18c36d9bef8c4b3e…

MALICIOUS

RTF

779.1 KB First seen: 2024-07-24
MD5: e72941b6d0735e4b2cb051e9ae9b6839 SHA-1: 6e3678c1dbe7b22bad7e6ad598821ba5c0f45252 SHA-256: 18c36d9bef8c4b3e1c4ee7504b60d34d4145d45932a5d36468d7b56f5008b91f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF file contains OLE object data and heuristics indicate that an automatically linked OLE object is present and forced to update, suggesting it will execute when the document is opened. The document body provides a lure by discussing financial audits and instructing the user to 'enable editing', a common tactic for macro-based malware delivery.

Heuristics 4

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0006eec2.bin
c62e31afb9136de34c1d591729f411780bcb6479e2c300a0ebaa24f553d6ff60		 rtf-objdata-decoded RTF \objdata at offset 0x6EEC2 1556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.