Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6147316c323ae34d…

MALICIOUS

RTF / .DOC

933.0 KB
MD5: 1b78b5dae336b9bb76e7724fc9e49509 SHA-1: 387705200f55fd0dbd28525daaca684aeb68513c SHA-256: 6147316c323ae34d9bf5ada2486a9e881f056940364aeb267f316724edd506bd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains heuristics indicating the presence of embedded OLE objects that are automatically linked and updated, suggesting an attempt to execute code. The document body includes a lure instructing the user to 'Enable editing', a common tactic to bypass macro security. The presence of OLE objects and the user-enablement lure strongly suggest this file is designed to execute a malicious payload upon opening.

Heuristics 4

  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001af42.bin
229308f8a301de08f02a422cb7a49cf77ee1c8f4ac82146438ece25eded636e9		 rtf-objdata-decoded RTF \objdata at offset 0x1AF42 4247 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.