RTF / .DOC malware analysis — malicious · 7583d99426f32a09

MALICIOUS

RTF / .DOC

21.0 KB First seen: 2022-09-28

MD5: 1bec2ce33fbfac0bae25e2e97f192172 SHA-1: d7bcee3c070796b2c618415533f57b5d9c48f5be SHA-256: 7583d99426f32a09f530dc3746df2ccb44aada08f258083565cffe4491f0f6d4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing via Service

The RTF document contains OLE object data and uses an \objupdate directive, indicating it's designed to activate embedded objects. The heuristic 'SE_ENABLE_LURE' confirms the document instructs the user to enable editing and macros, a common tactic for malware droppers. The embedded OLE object likely contains the malicious payload.

Heuristics 4

Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000170f.bin` `2a25640ac5ebbd87c821bf2109747fc8d682f446f97d1539fd5e9b8b99464838`	rtf-objdata-decoded	RTF \objdata at offset 0x170F	4291 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.