Malicious RTF — malware analysis report

Static analysis result for SHA-256 08af14f37ae5b7ed…

MALICIOUS

RTF

12.8 KB First seen: 2019-09-30
MD5: a89b8e132c1a1a85060e70416e53cbaa SHA-1: 08a991c7280d2b8fc1b1c11ed246b193e78ef154 SHA-256: 08af14f37ae5b7ed915f4892c6213e804be466c8a3ba65df7aa0ce9b8eca19ce
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing OLE object data, specifically triggering heuristics related to Microsoft Equation Editor vulnerabilities and OLE activation. This indicates the file is designed to exploit a known vulnerability (CVE-2017-11882) to achieve code execution. The presence of OLE object data suggests it's likely a malicious attachment delivered via spearphishing, intended to download and execute a further stage.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010cb.bin rtf-objdata-decoded RTF \objdata at offset 0x10CB 4156 bytes
SHA-256: 71283e8693204fa2f3b60c712141cd4efa0384e8fffca59d3c0b5e6b2bf068ce

Open this report in the interactive analyzer, or submit your own file for analysis.