Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 799510305a696984…

MALICIOUS

RTF / .DOC

26.1 KB First seen: 2022-11-30
MD5: 5e1b359c42a68e7b1e9049902249cc43 SHA-1: 8e286b7e8c7ce54522428e90c1bddd9c43d66171 SHA-256: 799510305a69698420182f372ad62045330faf4964ceeb6fbbed82b5728b7eea
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing via Service

The RTF document contains an OLE object and an \objupdate directive, indicating an attempt to exploit OLE object handling. The document body explicitly instructs the user to 'Enable editing' due to an older version claim, which is a typical social engineering lure to bypass macro security. This suggests the file is a dropper designed to execute malicious content upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000554d.bin
6bb1900c8ee783b5e1574d38b05f1530a7f4f5ae2de3a236267efcc18e0ec0ad		 rtf-objdata-decoded RTF \objdata at offset 0x554D 1386 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.