Malicious RTF — malware analysis report

Static analysis result for SHA-256 12a12b2c2c7f52ba…

MALICIOUS

RTF

40.8 KB First seen: 2023-07-10
MD5: 39c47863ba1127bb0f46600ac15e2349 SHA-1: deade6e26c3c16bbacebe73788337205fd1d982e SHA-256: 12a12b2c2c7f52bac033f9583406472ead553cf92acddfe0009e0a2195e0fcf3
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious File

The RTF document contains OLE object data and specifically triggers heuristics related to Equation Editor exploitation and OLE object activation. The document body includes a common lure instructing the user to 'Enable editing' to view the content, which is a technique used to bypass security measures and facilitate the execution of embedded exploits.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005bc7.bin
f1624aec486600e17f34be88da7d467c2ee9c99b552d855bfa4e95fc70f36d5d		 rtf-objdata-decoded RTF \objdata at offset 0x5BC7 1468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.