Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 dbde17546d423c44…

MALICIOUS

RTF / .DOC

1.13 MB
MD5: 1e6c06ed300dd4d6744f43efd6cc36a2 SHA-1: 8aaece78eaab5c434c8b9a88a1b154a09f800d16 SHA-256: dbde17546d423c444465c7f4bbecd593e99c4d43136269bb7f1f3be544d716eb
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File

The RTF document contains an OLE object and uses an \objupdate directive, indicating an attempt to activate embedded content. The document body explicitly instructs the user to 'click Enable editing from the yellow bar above,' a common social engineering tactic to bypass macro security. This suggests the file is designed as a dropper or exploit container, leveraging user interaction to execute its payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00069fcd.bin
7ec556c7a72e374c0fa103124c9c7eeb3b21db5bf364b7a91bd711842648c3d9		 rtf-objdata-decoded RTF \objdata at offset 0x69FCD 3729 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.