Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 056423487d9c1640…

MALICIOUS

RTF / .DOC

70.8 KB First seen: 2023-08-26
MD5: a9873a6bbc2bca4b14f3cf211d0fb231 SHA-1: 9aa9e1a85595fe3733b276196f2052c0bdc0e470 SHA-256: 056423487d9c1640e5a94f843a5068f537fdaeac6cffd6225eb7d34c0b27434b
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The file is an RTF document containing an embedded OLE object that exploits the CVE-2017-11882 vulnerability in Microsoft Equation Editor. The presence of the ".objupdate" directive indicates that the embedded object is intended to be activated automatically upon opening the document, likely to download and execute a secondary payload. The document body contains a lure related to financial statements and auditor opinions, instructing the user to 'Enable editing'.

Heuristics 5

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000040c0.bin
46b078e91fd29b2e7214ce772604a961c7f96c3d64abf57a02add3a0de333e76		 rtf-objdata-decoded RTF \objdata at offset 0x40C0 4153 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.