Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 33e62060e31dc4d6…

MALICIOUS

RTF / .DOC

26.9 KB First seen: 2022-11-15
MD5: 89319a4732dc56c9bf16346b269fc7e1 SHA-1: 53b837342e52b39f4f662dd0dec62e60d991bc21 SHA-256: 33e62060e31dc4d6465dc880d314be9ed30b7f3a5e2e6e26c990caedf7511d36
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to activate embedded objects. The document body explicitly instructs the user to 'Enable editing' due to it being an 'earlier version Microsoft Office Word', a common social engineering tactic to bypass macro security. This suggests the file is a dropper designed to execute further malicious content upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005771.bin
71ea7ad454079bbdd415da38a9deac3bcbbe41da3eb3d2e3232fa0d39ca49e41		 rtf-objdata-decoded RTF \objdata at offset 0x5771 1459 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.