Malicious RTF — malware analysis report

Static analysis result for SHA-256 1810e4b820163bad…

MALICIOUS

RTF

110.9 KB First seen: 2024-10-15
MD5: 6535be26b54348be4df6f17aa902dc90 SHA-1: a3146065280b6e92fd0d00c80f936f2148ca56cb SHA-256: 1810e4b820163bad0b6bb18d917ccbc23fe4569753c03db09504415f69dcc481
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The RTF file contains an embedded OLE object that leverages a known vulnerability in the Equation Editor (RTF_EQUATION_EDITOR). The ".objupdate" directive forces the activation of this object, leading to code execution. This is a common technique for delivering secondary payloads, often downloaded from a remote server.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010b9.bin
9ff9bc57356fd7ae0c4da48c7ac72adf962ca483c0880b959b7f640d9fc9192e		 rtf-objdata-decoded RTF \objdata at offset 0x10B9 2233 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.