Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4a928f9f59311d0e…

MALICIOUS

RTF / .DOC

29.0 KB First seen: 2022-11-08
MD5: 0e47951ee583f83a8be950b13b7c6feb SHA-1: a780362ef470b1a4e920b2f891de6371ec202837 SHA-256: 4a928f9f59311d0ed3c1dcfc34729a30e68b76154f537d69b6fb1e32185d448e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to activate embedded objects. The document body explicitly instructs the user to 'Enable editing' to view the content, a typical social engineering lure to bypass macro security. This suggests the file is a dropper intended to execute malicious content upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005afb.bin
9f210cc3e7de2cbecf92c74ec20f627ff7e4517019209d05edd1467066295f35		 rtf-objdata-decoded RTF \objdata at offset 0x5AFB 1789 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.