Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d7a7a6550d5e7c8f…

MALICIOUS

RTF / .DOC

659.4 KB
MD5: 7df152da06e5d2f3df5b86722d756e8f SHA-1: 63be60641defd5addffcc8f1fb01d4cb2e87a8ed SHA-256: d7a7a6550d5e7c8fafe12dbed4b342114f27815c39515d68f5482984b1497673
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The RTF document contains an OLE object and uses an \objupdate directive, indicating an attempt to activate embedded content. The document body presents a lure related to financial audits, instructing the user to 'Enable editing' and likely macros, a common technique for malware droppers. No scripts were extracted, and no specific IOCs were identified beyond the file itself.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00042f5b.bin
5ee9bd49466b4cbbe863dc41f463e329a1dce4589b28f9de588b0f8630740442		 rtf-objdata-decoded RTF \objdata at offset 0x42F5B 2059 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.