Malicious RTF — malware analysis report

Static analysis result for SHA-256 05c7b09c9a29a491…

MALICIOUS

RTF

86.5 KB First seen: 2024-08-22
MD5: c937611b3dff3091e417df17f1aefacf SHA-1: 2ec59c2a4138a35f2c8da198d46a2376d0eebdcd SHA-256: 05c7b09c9a29a491e178c9ce903e579e5e0c3877117bf6943ed5de60558cf1f8
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File Execution: User Execution: Malicious File

The RTF file contains an embedded OLE object, specifically targeting the Equation Editor vulnerability (RTF_EQUATION_EDITOR). The presence of \objupdate suggests an attempt to automatically activate the embedded object upon opening. This indicates a likely exploit delivery mechanism designed to execute a secondary payload, hence the high confidence in a malicious intent.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000116b.bin
f0738f0c6dc4b943a4bedac1e33b88bfe32c953571a6730682f3833668aa8d45		 rtf-objdata-decoded RTF \objdata at offset 0x116B 1837 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.