Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b78e040c0d63061f…

MALICIOUS

RTF / .DOC

712.5 KB
MD5: efcf0612773c1c48d6079a7636fdd2e5 SHA-1: a36a0b6f409f22fad0f463cef075f52ebad17e67 SHA-256: b78e040c0d63061f8a66e423ec0aa2fa7f1d3d6c5a488d147493d9d9ea9247f8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains embedded OLE object data and uses an \objupdate directive, indicating an attempt to execute embedded content. The document body provides a lure, instructing the user to 'Enable editing' and implying a need to view financial audit information, which is a common social engineering tactic. The presence of these elements suggests the document is designed to trick the user into enabling malicious macros or scripts, likely to download and execute a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000555e.bin
4ec3f949862b96bcbd68acb880f050032a682ccea4b661faf0b45d3ef9579832		 rtf-objdata-decoded RTF \objdata at offset 0x555E 4729 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.