Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2860a549ef6a90f4…

MALICIOUS

RTF / .DOC

77.4 KB First seen: 2023-06-20
MD5: 1560de54fb06f712d48e236bf0f9d552 SHA-1: 22662d56dae5115618f2de3f2abb3681e002af6a SHA-256: 2860a549ef6a90f4fd4a829571131238b2303a8a51bf021017ab7a47f85e6f33
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution: Malicious Link T1566 Phishing T1059 Command and Scripting Interpreter

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to execute embedded content when the user enables editing. The document body itself is a lure, presenting academic content to mask the malicious intent. The primary mechanism appears to be the exploitation of OLE object handling within RTF documents.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005304.bin
743821daec11722efe7c564e1dd2b72073c2047f87532f0f48fc7b3e0b19cfc0		 rtf-objdata-decoded RTF \objdata at offset 0x5304 4167 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.