Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8c3521d67ca68685…

MALICIOUS

RTF / .DOC

163.0 KB First seen: 2022-10-21
MD5: 71b376bb593f0138ab6810a40a7e2e26 SHA-1: 20bc5f2f9001dcb29d770ba375c5adb88b8a6c00 SHA-256: 8c3521d67ca686858fc3575dab75da18bdfc3c3425a1530e943caf907a8af69b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The RTF document contains OLE object data and uses an \objupdate directive, indicating an attempt to exploit OLE vulnerabilities or embed malicious content. The document body explicitly instructs the user to 'Enable editing' and implies macros are needed, which is a common lure for macro-based malware delivery. No scripts were extracted, but the heuristics strongly suggest a malicious document designed to trick users into enabling malicious content.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f59.bin
95099c5541af458612ce10ef429e5eda352d09d89f3bbd292a9d93593c38962b		 rtf-objdata-decoded RTF \objdata at offset 0xF59 1668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.