Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f85b938759315f2a…

MALICIOUS

RTF / .DOC

70.6 KB First seen: 2023-08-29
MD5: d5b5887cdab8ed08ffef8de162639c92 SHA-1: 4949a828f20a239e489f1ec4fb3092d8264d6001 SHA-256: f85b938759315f2afdcc602cb9084f90f3286adf2b1f35415ac48ad9de62fdb6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF document contains OLE object data and an instruction to enable editing, which are common techniques for bypassing macro security. The document body discusses financial auditing to appear legitimate, but the presence of these elements strongly suggests a malicious intent to trick the user into enabling content that would likely download and execute a secondary payload.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003cc2.bin
1371a57a1ab53dd01b18fd7bee151fb13b7a2bc3f56f1dca9ca167cc52bed3e3		 rtf-objdata-decoded RTF \objdata at offset 0x3CC2 4178 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.