Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b08d894dcac638bb…

MALICIOUS

RTF / .DOC

481.4 KB
MD5: 6fd86c986e91bad5023ef2e420d931e6 SHA-1: 543c84546b1e11d0bd7ab25ce190fcf3ba72d18e SHA-256: b08d894dcac638bb232372b1b6755d6a7e927d10aeb23b053bdb26518e44aefb
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains embedded OLE object data and an \objupdate directive, indicating an attempt to execute embedded content. The document body presents a fabricated financial audit report, instructing the user to 'click Enable editing from the yellow bar above,' which is a common lure to bypass macro security settings. This suggests the document is designed to trick the user into enabling malicious content, likely to download and execute a second-stage payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0002d352.bin
2641f48f97c334184a30d968209f0521d8d3bc5eeec1fd150ad6136ab96fbfa7		 rtf-objdata-decoded RTF \objdata at offset 0x2D352 1578 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.