Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c086a3b980d8293e…

MALICIOUS

RTF / .DOC

49.8 KB First seen: 2023-02-24
MD5: 2e63c5ab9141d76f1953fbf22c83f457 SHA-1: 7a91629f066c0e30635064797a0aa03876f525e8 SHA-256: c086a3b980d8293e89398993ad2c9633827b6253a8b23c4a161e0736ad747185
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The RTF document contains an embedded OLE object that attempts to lure the user into enabling macros or content. This is a common technique for malware droppers to bypass security measures. The document body explicitly instructs the user to "Enable Editing" and "Enable Content" in multiple languages, reinforcing the lure.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c3b.bin
e9cbc0f4050c8b9d300fcd48825e0510ace77242409a0b989020aaec4428851a		 rtf-objdata-decoded RTF \objdata at offset 0x1C3B 3130 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.