Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 0dd9afe4c7dabdd1…

MALICIOUS

RTF / .DOC

51.3 KB
MD5: d66110d5663e3d78f077055eb46f3c0f SHA-1: ca3ea1bf09e6bc3aab3055e5f726469932480d90 SHA-256: 0dd9afe4c7dabdd11d0326921c632e02a32a8c05fd03b51e11d69c5a08a78ffc
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor component. The presence of RTF_OBJUPDATE indicates that the embedded object is designed to be activated automatically upon opening, leading to the exploitation of a known vulnerability (CVE-2017-11882). This exploitation is a critical finding, suggesting the file's primary purpose is to achieve code execution for a subsequent payload.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000db3.bin
05b492e313145c9ea09ea52c10e98f69e8b1f67c36b1a01201a58e90ada9f441		 rtf-objdata-decoded RTF \objdata at offset 0xDB3 1810 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.