Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 99d616da31d3be25…

MALICIOUS

RTF / .DOC

9.8 KB First seen: 2023-01-16
MD5: 6f887ca5b9e825c1d0967a3442d1e0d7 SHA-1: 2d5db10ad4ec596d36a8410e6a11a1b41fd752da SHA-256: 99d616da31d3be259b694bdf68eb248858361b8c0f6606a9600b12ceb5756cd5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File

The RTF document contains an OLE object and uses an \objupdate directive, indicating an attempt to activate embedded content. The document body explicitly instructs the user to "enable editing", a common lure to bypass macro security settings and execute malicious content. No scripts were extracted, and the family is undetermined.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c9b.bin
757fa795585bb4e514f8f1d063f97bf34c478c115b92b34420d7b941fd4b9a0d		 rtf-objdata-decoded RTF \objdata at offset 0x1C9B 1299 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.