Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0ae519aa9b815512…

MALICIOUS

RTF / .DOC

1.67 MB
MD5: 0765ff9e7e876b5d6836596fbffa4a4a SHA-1: cec1b984c2a34bb7bd8956f1f7dfb5d285d4d1b6 SHA-256: 0ae519aa9b815512741d8a1acf34e8a6a4933b24d866c0568ad0f23d09291d6b
220 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple critical heuristic firings indicating the exploitation of CVE-2017-11882 via Microsoft Equation Editor. The presence of OLE object data and excessive hex data further suggests the embedding of a malicious payload. The file's purpose is to execute this payload upon opening, likely delivered via spearphishing.

Heuristics 5

  • Equation Editor OLE1 native payload — CVE-2017-11882 related critical CVE related CVE_2017_11882_RELATED
    RTF decodes to an OLE1 Equation.3 embedded object whose native data is large and payload-like, and \objupdate requests automatic activation. This is the delivery shape used by Equation Editor RCE documents such as CVE-2017-11882/CVE-2018-0802, but the malformed MTEF record needed for exact attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1745KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bd7.bin
6322c6b8c2682e95684e5c9a2f89904335b8e6f06486f7b8af5d8dac571b71ab		 rtf-objdata-decoded RTF \objdata at offset 0x1BD7 872854 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.