Malicious RTF — malware analysis report

Static analysis result for SHA-256 1700e17414c11dd4…

MALICIOUS

RTF

222.6 KB Created: 2021-02-12 04:30:00
MD5: 9771758e4bdfe21b99c42d58bd6689ce SHA-1: d248b6a801d498211d24f4a9a63cf91f99538bf1 SHA-256: 1700e17414c11dd42ea732b4b700d4f445a05c206cfe504fdb072a3692205f29
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and specifically leverages the Equation Editor component, indicating an exploitation attempt. The presence of \objupdate suggests that the embedded object is designed to be activated automatically, leading to code execution. This is a common technique for delivering secondary payloads.

Heuristics 6

  • Equation Editor object class critical RTF_OBJCLASS_EQUATION
    Object class 'equation.3' references Equation Editor
  • Equation Editor ProgID + OLE object high RTF_EQUATION_EDITOR
    RTF references Equation.3 ProgID alongside \objdata — likely Equation Editor (CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798) but without the binary CLSID payload, so flagged at HIGH instead of CRITICAL.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.