Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 af619d68c383113a…

MALICIOUS

RTF / .DOC

589.7 KB
MD5: 75a0c6d8e022bbbaa51d10561d490a77 SHA-1: 293b68a5ad6d18db921b1050fb05a65e475d1716 SHA-256: af619d68c383113a94b9be3ff42f0d6f377b654e757f1cbeeb98583ed1f1a61f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains OLE object data and an \objupdate directive, indicating it's designed to activate embedded objects. The document body provides a lure related to financial audits, instructing the user to 'enable editing' which is a common tactic to bypass security measures and execute malicious content. The presence of these elements suggests the file is a malicious dropper, though no specific family could be identified.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005486.bin
781746cba2268d160eeaf87495ba1a97f12de89a6924fd466ee4b5453d39a839		 rtf-objdata-decoded RTF \objdata at offset 0x5486 4283 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.