Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 15723c9ed5323a6d…

MALICIOUS

RTF / .DOC

114.8 KB
MD5: 6fe3c24853e9de94688a2311999ba946 SHA-1: c4383b6caefcb3050ee009394ed1ae07c4f8fd6e SHA-256: 15723c9ed5323a6dc5b7a407c37000456bff531f06bd9e7732278eb518445547
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing an embedded OLE object that leverages a known vulnerability in the Equation Editor component. The critical RTF_EQUATION_EDITOR heuristic indicates exploitation of this component, which is commonly used to achieve arbitrary code execution. The RTF_OBJUPDATE heuristic further suggests that the embedded object is designed to be activated, likely to download and execute a secondary payload.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001cb9.bin
a0b285d83b320455fbca0b67a0aac04629a334d3cf76e866887040e05469a7b2		 rtf-objdata-decoded RTF \objdata at offset 0x1CB9 1862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.