Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0993226670daf893…

MALICIOUS

RTF / .DOC

21.0 KB First seen: 2022-08-18
MD5: d3627fd29e3d56a8ffca83dd3a3813bc SHA-1: 1400513e754fbf73224b29980ce4252a41fbd6da SHA-256: 0993226670daf893706991eb02d9b70540b929949d198b2d66a38b3d63263515
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that leverages the CVE-2017-11882 vulnerability in the Equation Editor OLE object. This vulnerability allows for the execution of arbitrary code when the embedded object is activated. The presence of OLE object data and specific heuristics related to Ole10Native streams strongly indicate this exploit. The document body is heavily obfuscated and unreadable, but the exploit mechanism itself is clear.

Heuristics 5

  • Equation Editor Ole10Native payload — CVE-2017-11882 likely critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    RTF decodes to an activated Microsoft Equation 3.0 OLE storage whose payload is a high-entropy Ole10Native stream rather than normal Equation Native/MTEF data. This is a weaponized Equation Editor RCE delivery shape consistent with CVE-2017-11882/CVE-2018-0802.
  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016ec.bin
79dfa9f81e122765b46898f3252e3e1b75e9fcfdb4b2a4fa99a1f8c1a71f1356		 rtf-objdata-decoded RTF \objdata at offset 0x16EC 4277 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.