Malicious RTF — malware analysis report

Static analysis result for SHA-256 0085f002dd1f6102…

MALICIOUS

RTF

89.6 KB First seen: 2024-06-25
MD5: 71203646e017d3b63faf4e9d19c11dc4 SHA-1: 26f8ac97c28017c914591d6c3c3e543bee0c5462 SHA-256: 0085f002dd1f610211a5e5ee02d55b593e269b22b68c27874015fa59a6299cf0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 Malicious Link T1059.003 Windows Command Shell

The RTF file contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The \objupdate directive forces OLE activation, which is likely intended to trigger the exploit. This exploit typically downloads and executes a second-stage payload, hence the attack pattern of exploitation for client execution.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a15.bin
45ac174292cec2c7cc866bd6df39d2d8042ca5d0e69fbd46f803650f7b820ef1		 rtf-objdata-decoded RTF \objdata at offset 0x1A15 2170 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.