Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 190f8004647951c8…

MALICIOUS

RTF / .DOC

2.07 MB First seen: 2022-03-16
MD5: a2b1df94e1dbbecda72e2e1eab655b92 SHA-1: e04266f5080f844943ce2e9a8d166762114c7da4 SHA-256: 190f8004647951c8a6d90c2ba2c77b71216c7bef4dfb22655b21cd75ea386e65
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object that exploits CVE-2017-11882 via the Equation Editor. The object is configured to update and activate, indicating it's intended to execute a payload. The DOC BODY excerpt contains what appears to be obfuscated VBScript code, suggesting the OLE object likely drops and executes a malicious script.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000012c5.bin
6b7a8c80e9b9b0e7a473a98cab2c66735190d4267b97f7eba0df17228c79ec7e		 rtf-objdata-decoded RTF \objdata at offset 0x12C5 84551 bytes
objdata_01_off000360dc.bin
fd3b0881f817e61583f80f1519a3dd200c0f623223e0b7277aad89f0688231e3		 rtf-objdata-decoded RTF \objdata at offset 0x360DC 463159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.