Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 97c089cb4b2f2e2c…

MALICIOUS

RTF / .DOC

27.4 KB First seen: 2022-12-15
MD5: b4bbeaca463c2a7a5b686f3aeac7c5dd SHA-1: bd1cdc8067cad18fba4ba11e24f4cb246cbe9330 SHA-256: 97c089cb4b2f2e2c8e3741d1d05199b8811c00cd83602815260589b8cae03fdd
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution: Malicious Link T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059.005 Command and Scripting Interpreter: Visual Basic

The RTF document contains an OLE object and uses an \objupdate directive, indicating an attempt to exploit OLE vulnerabilities or embed malicious content. The document body explicitly instructs the user to 'Enable editing' due to being created in an older version of Microsoft Office, a known social engineering lure to bypass macro security. This suggests the file is a dropper designed to execute further malicious payloads upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000549e.bin
e4b0731e7417c2887da96c61125be76b60f5dc949fedc3480ad207a339bfb71e		 rtf-objdata-decoded RTF \objdata at offset 0x549E 1846 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.