RTF malware analysis — malicious · 618779c9797697b6

MALICIOUS

RTF

1.10 MB First seen: 2024-08-02

MD5: c2b8aa2fcbf24110076ce0493105ad2b SHA-1: bbe1619b10614764cb421f22d0f638cf3189f585 SHA-256: 618779c9797697b6768ac88c25ead4cc4c366cb07370250d41055d1f5d40a009

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The RTF file contains OLE object data and heuristics indicate that an OLE object is automatically linked and updated, forcing activation. The document body provides a lure related to financial auditing to encourage the user to enable editing, which is a common technique for macro-based malware droppers. The embedded OLE object is the most likely vector for delivering the malicious payload.

Heuristics 4

Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000cc331.bin` `e05e531dfdda003bbe51453a480e796529690a69d4696e4d70c3bc77c9fcb260`	rtf-objdata-decoded	RTF \objdata at offset 0xCC331	1759 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.