Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5e98973255e72155…

MALICIOUS

RTF / .DOC

6.8 KB First seen: 2022-09-06
MD5: 6e3514e8d6b003e8bcc0f21e33c8aaba SHA-1: f246c9e4e520081dfaa0fbe6b97538a85e1d672c SHA-256: 5e98973255e721552e7b662a6923c5d7f459d4de90a7ba7ee417d1e940340323
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1204.002 User Execution: Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The file is an RTF document that contains OLE object data and an instruction to activate OLE objects, indicating it's designed to exploit vulnerabilities or execute embedded content. The heuristic 'SE_ENABLE_LURE' confirms the document attempts to trick the user into enabling editing and macros, a common tactic for malware droppers. No scripts were extracted, and the document body is heavily obfuscated, but the presence of OLE objects and the lure strongly suggest a malicious intent to execute further payloads.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000005e7.bin
e41216bbc0b2c4d04a75d56e8f87966c23bb632aae9486b59f1e5b10aa35aa7d		 rtf-objdata-decoded RTF \objdata at offset 0x5E7 1930 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.