Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 976dd1b84a2d334e…

MALICIOUS

RTF / .DOC

150.5 KB First seen: 2023-10-20
MD5: d04f6637d6fa09f17693134878dc14d8 SHA-1: 28a65cfc1ed78fed8241bb5fdea5f98e81af028a SHA-256: 976dd1b84a2d334e9f8aa206cde5c565120c4d81e5e263450e900581ae76b939
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF document contains OLE object data and an instruction to update the object, indicating it's designed to exploit OLE vulnerabilities or embed malicious content. The document body provides a lure about financial audits, instructing the user to 'enable editing', a common tactic to bypass macro security and execute embedded malicious code. The heuristic 'SE_ENABLE_LURE' directly supports this finding.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002c3a.bin
1cb0005c17abcd2af05d8da388e0db3f7ffd7ea689e2a27f11681821d7879a48		 rtf-objdata-decoded RTF \objdata at offset 0x2C3A 1701 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.