Malicious RTF — malware analysis report

Static analysis result for SHA-256 ee378454302fbafd…

MALICIOUS

RTF

80.1 KB First seen: 2023-03-03
MD5: 87f20d1cabcbb993baa2a4f9ee4c5faf SHA-1: 6dba60c4dcace69f50a2af5956925652d581811f SHA-256: ee378454302fbafd6ec1de98d3c0bf3416caf0139498fe8999c5c05fcd7b3274
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF document contains an OLE object and uses an \objupdate directive, indicating an attempt to execute embedded content. The document body explicitly instructs the user to 'Enable editing' to view the content, a common social engineering lure to bypass macro security settings and facilitate the execution of malicious payloads.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00004dbf.bin
6fdd8daa10ff9146dfce238b8108bdfe93b7d46ac413e004e9d0ceab24fffd12		 rtf-objdata-decoded RTF \objdata at offset 0x4DBF 4176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.