Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 83af6b250f20ac16…

MALICIOUS

RTF / .DOC

291.4 KB First seen: 2024-05-22
MD5: d0327dcff2c3a4b19f4991a4e000c45a SHA-1: 968c540a22baf61c599f735090e79960905ea528 SHA-256: 83af6b250f20ac16f456087fa3da190876b423cecc42c2f624bb167f932e7d6e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF document contains OLE object data and an instruction to update the OLE object, indicating it's designed to execute embedded content. The document body provides a lure by discussing financial audits and prompting the user to 'Enable editing', a common tactic for macro-based malware droppers to bypass security settings and execute their payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00015efd.bin
b373d1cabbe731b12e089fa2d9fd4d4f744c1e06f91b0695873f124ed679ff42		 rtf-objdata-decoded RTF \objdata at offset 0x15EFD 1592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.