Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6f3f0601dfed94eb…

MALICIOUS

RTF / .DOC

6.8 KB First seen: 2022-07-26
MD5: 423a07a437bc889d36ab9caf3c15ce44 SHA-1: 47941610f1b47ad15fb6f847d2029a320ceb0bc2 SHA-256: 6f3f0601dfed94ebbcefb8305de5fc98b9f055e094ec617e5b718c3b991abd82
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE vulnerabilities. The document body explicitly instructs the user to 'enable editing' to see the message, a common lure for malicious documents. This suggests the file is designed to exploit vulnerabilities and execute embedded code upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000749.bin
bba4b219b5d414a58be5f011ae9fc4a0d4eba05703526b2393b1d09fb3299c36		 rtf-objdata-decoded RTF \objdata at offset 0x749 1481 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.