Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 511c82313461b74f…

MALICIOUS

RTF / .DOC

415.0 KB First seen: 2024-07-01
MD5: ff06a87dd0550386be1f780d560f1877 SHA-1: 69e95738ec635520a508f7424a759261e5032cb0 SHA-256: 511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating it is designed to activate embedded objects. The presence of a 'SE_ENABLE_LURE' heuristic firing and the document body's instruction to 'click Enable editing' strongly suggest a social engineering tactic to bypass security measures and execute embedded malicious content, likely a downloader.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00018e93.bin
53b8cf715e4dfcada76e1520ee8e003ae79517d5eb486ab81eb87b56742b07d6		 rtf-objdata-decoded RTF \objdata at offset 0x18E93 1618 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.