Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ff221c26a6ad233a…

MALICIOUS

RTF / .DOC

825.9 KB First seen: 2024-11-04
MD5: 666036634de5de5ff28819cec19299f3 SHA-1: 4cb3fb08d6a173e1526f48d1d4237c29f9a49f5f SHA-256: ff221c26a6ad233a179ede24b8156649e2e4338af867571943a2f114650bffa2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The RTF document contains OLE object data and an instruction to update the OLE object, indicating an attempt to execute embedded content. The document body provides a lure related to financial audits, instructing the user to 'click Enable editing', which is a common tactic to bypass security measures and execute malicious macros or scripts. No scripts were extracted, but the heuristics strongly suggest the document is designed to trick the user into enabling content execution.

Heuristics 3

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00023582.bin
0c9e022c8ea153afb089f38d4252e882dd6c053770ecffe33b1462ad76cfabe5		 rtf-objdata-decoded RTF \objdata at offset 0x23582 3732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.