Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c74a7163a8aeecf2…

MALICIOUS

RTF / .DOC

14.5 KB First seen: 2022-07-19
MD5: 002c07d66e408b660935ef1851e5d555 SHA-1: f0c7797f1b8f5151aa11ec19ee8703b0563358b2 SHA-256: c74a7163a8aeecf231a8aa444bb98c1b8ce0610a6f6a00dfcf78906204e9c7a8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566 Phishing T1059 Command and Scripting Interpreter

The sample is an RTF document that contains OLE object data and uses an \objupdate directive, indicating an attempt to activate embedded objects. The heuristic 'SE_ENABLE_LURE' confirms that the document instructs the user to enable editing, a typical social engineering tactic to bypass macro security. This suggests the file is a dropper designed to execute malicious content upon user interaction.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000203f.bin
860812ba4915475aeeb33a746337378bb5e3f738bb514ad477646d60beeded2b		 rtf-objdata-decoded RTF \objdata at offset 0x203F 2027 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.