Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 98a2464ec799d2bb…

MALICIOUS

RTF / .DOC

656.6 KB
MD5: f619515f3a26a0e52bd4a7b9a9696419 SHA-1: a364f04cc0412be29a6f4ad105b83fa3568fa1a2 SHA-256: 98a2464ec799d2bbd169e8d65e5cc5fcdee0905685daa4e17d975927dbc86598
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The RTF document contains embedded OLE objects and uses an \objupdate directive, indicating an attempt to activate embedded content. The document body explicitly instructs the user to 'click Enable editing from the yellow bar above,' which is a common lure to bypass macro security settings. This suggests the file is designed to trick the user into executing malicious code, likely for further exploitation.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000115b8.bin
3e41401e32768f5acdfd62f3a5ea53ab72274a16f14625901679a67c47baba2c		 rtf-objdata-decoded RTF \objdata at offset 0x115B8 3732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.