Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6f3496cde219e60e…

MALICIOUS

RTF / .DOC

358.4 KB First seen: 2022-10-27
MD5: f2e16eea320961e67e57ecd62c5f4248 SHA-1: 8ded7e4f7910d4705e3d228e71afe548278d8bc3 SHA-256: 6f3496cde219e60ea989644a92e45f64e3446e3e08a89f7de78115b4c3173593
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing via Service

The RTF document contains OLE object data and uses an \objupdate directive, indicating it's designed to activate embedded objects. The document body explicitly instructs the user to 'Enable editing', a common lure to bypass security settings and allow malicious content, such as macros, to execute. This suggests a downloader or droppper attack pattern.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c35.bin
bbe4d613765df8cd9e7e72722c3569b08805aa54c12b59ff23999e1c4aa39d7b		 rtf-objdata-decoded RTF \objdata at offset 0x1C35 1504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.