MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1204.002 Malicious Link: Malicious File
T1566 Phishing
T1566.001 Phishing: Spearphishing Attachment
T1566.002 Phishing: Spearphishing via Service
The file is an RTF document containing OLE object data, with heuristics indicating that \objupdate forces OLE activation. The document body contains a lure instructing the user to 'enable editing to view in readable format', a common technique to bypass macro security settings and deliver malicious content. No scripts were extracted, and the specific malware family could not be determined.
Heuristics 5
-
Ole10Native stream in RTF OLE object high RTF_OLE10NATIVE_STREAMRTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000016bd.bin446d5c9e466aef365ef3a80a39f72c3a39f3450fed3123017ba43fec4ea2d1b2 |
rtf-objdata-decoded | RTF \objdata at offset 0x16BD | 4266 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.