Malicious RTF — malware analysis report

Static analysis result for SHA-256 0ff105df6495ddf6…

MALICIOUS

RTF

97.5 KB First seen: 2024-07-23
MD5: adfee8b962087fe5108f615806ce6903 SHA-1: 9fe53ce6caac64baf06bd05185898c6ea13e7b9f SHA-256: 0ff105df6495ddf66c6517261123c11119d2ad4433df36f9414106a7af3fe411
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor vulnerability. The presence of `RTF_EQUATION_EDITOR` and `RTF_OBJUPDATE` heuristics indicates that the file is designed to exploit this vulnerability upon opening, likely to download and execute a secondary payload. The document body is heavily obfuscated and does not provide clear user-facing content, reinforcing the malicious intent.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b34.bin
36857b3349239410028a0eb86111e393fae5e4311cd26d882d7f81ca55674594		 rtf-objdata-decoded RTF \objdata at offset 0xB34 2083 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.