Malicious RTF — malware analysis report

Static analysis result for SHA-256 04a7be1355b9686f…

MALICIOUS

RTF

11.9 KB
MD5: f5a7149a9d7b3b8dde526aed2a7ea722 SHA-1: 2dd6acde3fee5dc0478a0668770f8e4719348d36 SHA-256: 04a7be1355b9686f3a54599e59faa65d610de43f6262415d405e95b6e659769c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains critical heuristics indicating the exploitation of the Equation Editor vulnerability (RTF_EQUATION_EDITOR) and forces OLE activation (RTF_OBJUPDATE). This suggests the file is designed to execute arbitrary code, likely to download a second-stage payload. The presence of OLE object data (RTF_OBJDATA) further supports this attack vector.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015cb.bin
733305abf8a5663c73415204da35733c6e3ba59c6622c50b4dfdc0f6b13fbc9b		 rtf-objdata-decoded RTF \objdata at offset 0x15CB 2064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.