Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 1eac4b6a8d54ad0b…

MALICIOUS

RTF / .DOC

12.2 KB First seen: 2022-09-08
MD5: c57544bbe3a0de2e2ee7aaa6052c6b70 SHA-1: aa10cf5ef9aa7fad16765af1b20413f38dae6a7a SHA-256: 1eac4b6a8d54ad0b0deb85eab520d4893e2c0a36879a04334b718299774eb5e2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to activate embedded objects. The document body explicitly instructs the user to click "Enable editing", a social engineering tactic to bypass macro security. This suggests the file's primary purpose is to trick the user into executing malicious content, likely a downloader or dropper.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001eba.bin
9e79556731bc5dd5f164c4c87a0d6408bde489448fb734bd7edc2fba71efe33e		 rtf-objdata-decoded RTF \objdata at offset 0x1EBA 1564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.