Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bcade8f76366bc86…

MALICIOUS

RTF / .DOC

635.7 KB
MD5: 35b33d95586ea91ff6b072869623fc8d SHA-1: 818f18b61e61aebe3fbe2a5f15fd486137ce715a SHA-256: bcade8f76366bc86315e2775770083a82a5f1ca9344d03be5ef52616dcceaea8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The RTF document contains an OLE object and uses an \objupdate directive, indicating it's designed to activate embedded content. The document body text, disguised as a financial audit report, includes a prompt to 'enable editing from the yellow bar above,' a common social engineering tactic to bypass security measures. This suggests the document's primary purpose is to trick the user into enabling malicious content, likely a macro, which would then execute.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00004c86.bin
eec6b213cc349290a76c79862cf4141ecc60bd447dc7576e8f39ab7888c0ebc7		 rtf-objdata-decoded RTF \objdata at offset 0x4C86 4230 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.