Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ee1c72ebaf43badf…

MALICIOUS

RTF / .DOC

670.3 KB
MD5: c00a17e56e7eeaf2d72456692c36eec7 SHA-1: 72fbbce62454aaa611317d1c23a1980712d44613 SHA-256: ee1c72ebaf43badfd7469960a19c0b2c54dc7485eff720cab2eb6bb9cf623c04
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an RTF document containing embedded OLE object data, with heuristics indicating the use of \objdata and \objupdate to force OLE activation. The document body contains a lure instructing the user to 'Enable editing' to bypass security settings. This suggests the document is designed to trick the user into executing embedded malicious content, likely a macro or script, which is a common delivery mechanism for malware.

Heuristics 4

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00022175.bin
29914c529da6b934b8e3e9e4a0a79b8a8ea89e7047989bd1b6665df3f9d10402		 rtf-objdata-decoded RTF \objdata at offset 0x22175 3758 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.