Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4f974b06ab44d235…

MALICIOUS

RTF / .DOC

604.9 KB
MD5: 42ad7b83b1895d01e960c956b3fa6f31 SHA-1: f0140678fd3890d9277c6eca53174e8c423fbf08 SHA-256: 4f974b06ab44d235e6d30c028fb689025f8351cf7de778a18f6a2a60d7159034
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE object data and an instruction to enable editing, which are common techniques for delivering malicious payloads. The document body discusses financial audits and internal controls, likely serving as a lure to trick the user into activating the embedded malicious object.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000074a6.bin
aa9f64ea30cc7bcd3d0a34a90334211cb203046dae88e53e743c90e5f96b4acb		 rtf-objdata-decoded RTF \objdata at offset 0x74A6 4231 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.