Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 38121d28bc284cdb…

MALICIOUS

RTF / .DOC

8.2 KB First seen: 2022-08-18
MD5: 31dec014ea6842c14f7a2979ad6e5c2f SHA-1: c693591ea27799ca565c0f75bd44f6e00255867a SHA-256: 38121d28bc284cdbd3a331550d924e5670bdcaa721f7ca7b43324d4a7922133b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.005 Visual Basic

The RTF document contains OLE object data and an \objupdate directive, which are commonly used to bypass security measures and prompt the user to enable editing. The heuristic 'SE_ENABLE_LURE' confirms that the document instructs the user to enable macros or editing, a typical lure for malware droppers. No scripts were extracted, and the document body was heavily obfuscated, preventing a more detailed analysis of the payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c77.bin
068e47ab1a04700fce2861389d26478ae680e46ff8340fe0ac11c8c28740982a		 rtf-objdata-decoded RTF \objdata at offset 0xC77 1569 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.