Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 1761708807cc8069…

MALICIOUS

RTF / .DOC

25.2 KB
MD5: 30181e3587c815a5f0f3e5978881da8c SHA-1: fb88d5251cea0f55ea669d751f5082618d5396bc SHA-256: 1761708807cc80699956bf603fa86f92f24410656df3abe71cca5d1803967130
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing embedded OLE objects and specifically triggers heuristics for the Equation Editor vulnerability (RTF_EQUATION_EDITOR) and OLE activation (RTF_OBJUPDATE). This indicates a likely exploit targeting CVE-2017-11882 or a similar vulnerability to achieve code execution. The presence of OLE object data suggests the embedded exploit is designed to download and execute a secondary payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001e69.bin
63bc022b5b1594b6ac101068a399b43c79f399e43297e0eeaedd903db63f9394		 rtf-objdata-decoded RTF \objdata at offset 0x1E69 1694 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.