Malicious RTF — malware analysis report

Static analysis result for SHA-256 f7d23a1a9687e114…

MALICIOUS

RTF

8.2 KB First seen: 2022-12-06
MD5: b21080496cd06c4ec05a717005ac8de0 SHA-1: 19e19d2cfb4beb2b01a58e946686b65670fa1d5b SHA-256: f7d23a1a9687e11409154eef5ff6e38b0ce19bd6747b45814cd6221ee1bc02cd
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing via Service

The RTF document contains an OLE object and uses an \objupdate directive, indicating an attempt to activate embedded content. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common lure for macro-based malware delivery. No scripts were extracted, and the OLE object content is truncated, limiting further analysis of the payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000eec.bin
cfd86b9a6a638533a21d43ca68da71e558c23bc0ceddd59a256f6069adbf8429		 rtf-objdata-decoded RTF \objdata at offset 0xEEC 2228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.