Malicious RTF — malware analysis report

Static analysis result for SHA-256 03a785d662fab866…

MALICIOUS

RTF

12.6 KB First seen: 2022-11-12
MD5: edcd263f58a681981ae29c726928ff76 SHA-1: d539d90359d046b22fdcd4d0a9b4246af5b0aeb8 SHA-256: 03a785d662fab866269f06538316bd06103abecb28f10e26f02b82d3e43a2887
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The ".objupdate" directive forces the activation of this object, which is a known method for executing arbitrary code. The embedded OLE object data, when decoded, likely contains shellcode designed to download and execute a second-stage payload, although the exact payload could not be determined from the provided data.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001634.bin
97d822d0ae1fe05cb83e0b3db81b516fa55af034edbcdc34386deba82dc0b9ae		 rtf-objdata-decoded RTF \objdata at offset 0x1634 1725 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.