Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 04c1aee7d196106b…

MALICIOUS

RTF / .DOC

62.2 KB
MD5: ab8fad088bee7ef460af7d69928e6fe7 SHA-1: 6783eeadb3e8cd6d18495479f6e2ac956144b649 SHA-256: 04c1aee7d196106b8ca114a0ed1c640b55a5e61c7558d232a7c419946f1c418f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing OLE objects and triggering heuristics related to the Equation Editor vulnerability. This indicates it's designed to exploit a client-side vulnerability for code execution, likely to download and run a secondary payload. The specific exploit used is identified as a critical Equation Editor vulnerability.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000009f4.bin
31a233d68d4de04767f9fc198824c3c53045c8687e5561b20225cfaab85e93a3		 rtf-objdata-decoded RTF \objdata at offset 0x9F4 1363 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.