Malicious RTF — malware analysis report

Static analysis result for SHA-256 937081feb5a92bd1…

MALICIOUS

RTF

473.4 KB First seen: 2024-06-14
MD5: 15c3e84e2d85208e9a8ae0002937ad01 SHA-1: 00214e7461ba5ebfd8ba34d80ea6aa3d3923ede6 SHA-256: 937081feb5a92bd12a4dd14da3180bbf029bd4ccc537f2d7c15617bd65960478
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF file contains an OLE object and an instruction to enable editing, which are common lures for macro-based malware delivery. The document body discusses financial audits to appear legitimate, but the presence of the OLE object and the lure strongly suggest it's designed to bypass security controls and execute a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00016c69.bin
c8ead042cf708715de16e11462d119436d29507df18eb28f6a66a1fadd57ce6c		 rtf-objdata-decoded RTF \objdata at offset 0x16C69 1867 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.