Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f97412f5ddac8351…

MALICIOUS

RTF / .DOC

218.9 KB First seen: 2022-04-08
MD5: c74d2a18dba1bf2d337e503f998d92e2 SHA-1: 571ab67ae3e258197a459bee4b7a37a9657a4515 SHA-256: f97412f5ddac8351f3d6efdb6982cb05aafa4f96bbdd7f85add14a7b4f850f01
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The RTF document contains multiple OLE objects, including embedded objects and OLE object data. The presence of `RTF_OBJUPDATE` and `RTF_COMPOSITE_MONIKER_RELATED` heuristics indicates that these objects are likely designed to be activated automatically or upon user interaction. The document body explicitly instructs the user to "Enable Editing", a common social engineering tactic to bypass macro security and allow the execution of embedded malicious content. No scripts were extracted, and no specific IOCs were identified beyond the document structure itself.

Heuristics 5

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ba2.bin
f13273e9d9f96c05282f1dcaf36f521dcad6484a5033b372a3e3ede80b0dd08a		 rtf-objdata-decoded RTF \objdata at offset 0xBA2 15941 bytes
objdata_01_off00008dc4.bin
1721aab459b68b884f13b5caf8aed48f2f1a5eb3d65c1b2ddac08c7c93062de4		 rtf-objdata-decoded RTF \objdata at offset 0x8DC4 2632 bytes
objdata_02_off0000a367.bin
44deae4627fee3c44f54d5bd10477ec2e17f4c08135f08e2417832e36d10d037		 rtf-objdata-decoded RTF \objdata at offset 0xA367 12297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.