Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9cd1a9ba314eb57d…

MALICIOUS

RTF / .DOC

39.1 KB First seen: 2022-12-15
MD5: c3c9d09026577540f17da3b99d77d6e2 SHA-1: 9beecd478e9d06597f81733817911268ee0b5662 SHA-256: 9cd1a9ba314eb57d6e8a8313a869c0d7cec50096ec766b8b46270201bccc0fc3
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution: Malicious Link T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to exploit OLE vulnerabilities or embed malicious content. The document body explicitly instructs the user to 'Enable editing' due to being created in an 'earlier version of Microsoft Office', a known social engineering lure to bypass macro security. This suggests the file is a dropper intended to execute further malicious code upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00008ad8.bin
b051718b33513bd96b37e58676d3bed2c702442e84544dcb82d5e67118b20007		 rtf-objdata-decoded RTF \objdata at offset 0x8AD8 1491 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.