Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 443471842fdfa135…

MALICIOUS

RTF / .DOC

224.7 KB
MD5: 27bcba57ac8aeb1677d8c05f585b6b58 SHA-1: 428b46d69f41447fcb6e1bf12adae80c07d05eb6 SHA-256: 443471842fdfa13536078ac02612dff089536e8bf16bc507fc21d0ad59879f04
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The RTF document contains an embedded OLE object and uses an \objupdate directive, indicating an attempt to execute embedded content. The document body explicitly instructs the user to 'enable editing' and implies a financial context, which is a lure to bypass security measures. This suggests the file is a downloader designed to trick users into executing malicious code.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000125c.bin
70968c7eb6af3c3c14a05490bdbd358ba22f085e9459fff2b26cc60d0153b3eb		 rtf-objdata-decoded RTF \objdata at offset 0x125C 1654 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.