Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a0212b7de7b4fd85…

MALICIOUS

RTF / .DOC

855.8 KB
MD5: bda4977ebbb81fa5aebb932937ccc6dd SHA-1: 8c7dd0264cc508a8cc7b6bfec0482d6a787eb9d9 SHA-256: a0212b7de7b4fd85784ba4e517c7e7f404a0405e7a8ff9d9e8b56d6556c268e5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to trigger embedded content upon opening. The document body explicitly instructs the user to 'Enable editing' and implies a need to enable macros, a common lure for malicious documents. This suggests the file is a dropper intended to bypass macro security settings and execute further malicious payloads.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001a5ad.bin
d69760adbdb4ef8873cbf5f1565d6bb96a67c05426db3c26dcb5641e536e675f		 rtf-objdata-decoded RTF \objdata at offset 0x1A5AD 4267 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.