Malicious RTF — malware analysis report

Static analysis result for SHA-256 32f5bf26d32b4221…

MALICIOUS

RTF

408.8 KB First seen: 2024-11-19
MD5: f6e89e6c3ab17d8d58699ccefeaf3c8d SHA-1: 86c245d0a2ef138aa7afca6bb43316e251b07c68 SHA-256: 32f5bf26d32b42212ada3e88017ad037c6c84f760a64585252576d893a00ff5f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The RTF file contains embedded OLE objects that are automatically linked and updated, indicating an attempt to execute code upon opening. The document body includes a lure instructing the user to 'enable editing', a common tactic for macro-based malware droppers to bypass security measures. The presence of these elements strongly suggests a malicious intent to deliver a payload.

Heuristics 4

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00012a55.bin
7c26a737e3ebab7434d04414b1dc0b91969b48b55c30aa0c3b1281a4ce94f15e		 rtf-objdata-decoded RTF \objdata at offset 0x12A55 1870 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.