Malicious RTF — malware analysis report

Static analysis result for SHA-256 476ed905283a19d8…

MALICIOUS

RTF

698.2 KB First seen: 2024-10-08
MD5: a6cdfda6fae8cc876e2dd1be2ed9a991 SHA-1: 36804f79adcff4695079dc4e780e71e20049610b SHA-256: 476ed905283a19d869416f4f6cec106c582621344fec1eb8c306dc6e30592283
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The RTF document contains an OLE object and an instruction to 'Enable editing', which is a common lure to bypass macro security settings. The presence of ".objdata" and ".objupdate" heuristics indicates embedded OLE objects, often used to deliver malicious payloads. The document body discusses financial statements and internal controls, likely a pretext to disguise the malicious intent.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000093ce.bin
075840d7c20b3dbe655ecff90c2ec934847efd2acc831d2880f9460461a6dbfc		 rtf-objdata-decoded RTF \objdata at offset 0x93CE 4215 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.