Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 582d08449d2b1850…

MALICIOUS

RTF / .DOC

576.3 KB
MD5: e2cec6f11ccac4ecfc5d93e5e2066841 SHA-1: 37e93973cbdb7529e6bf428cb77fd6bf74fbdd4f SHA-256: 582d08449d2b185035456fa7a91586f947a319ef379fcd94708a0b35342b2627
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and an \objupdate directive, indicating an attempt to activate embedded content. The document body provides a lure related to financial audits, instructing the user to 'Enable editing', which is a common tactic for macro-based malware delivery. The presence of OLE objects and the lure strongly suggest the execution of a malicious payload.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00006fc6.bin
cf80f35023de9b02a5f087d688dcd089190702e3c78d3427f246dd783ce0e47e		 rtf-objdata-decoded RTF \objdata at offset 0x6FC6 3719 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.