Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 23318d0693ef4d25…

MALICIOUS

RTF / .DOC

11.2 KB First seen: 2022-09-28
MD5: a76a5beb83b71b2e1294d8489d7fbe41 SHA-1: 2a4e957643195550640ad7b954afd26391d40b12 SHA-256: 23318d0693ef4d2530719da58670c9ad00eddfaf18f50382bb3b55812e4f1a59
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is an RTF document that uses an OLE object with an \objupdate directive, indicating an attempt to automatically activate embedded content. The document body contains a lure instructing the user to "Enable editing", a common social engineering tactic to bypass macro security. This suggests the document is designed to execute embedded malicious code upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001359.bin
a0f2594e7f83d5eded15d68168c00474ac459dacc5f9f37f4eb406612dd18686		 rtf-objdata-decoded RTF \objdata at offset 0x1359 2146 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.