Malicious RTF — malware analysis report

Static analysis result for SHA-256 1fd49774947e6c94…

MALICIOUS

RTF

30.2 KB First seen: 2019-04-18
MD5: febb2dad9e0cf0cb7949738f13088fbf SHA-1: 142c1db07380b340507496d622f9de5f3eea9482 SHA-256: 1fd49774947e6c94d82fc8ecfe2e3ddb177e028d48f5132b058a419b41612671
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of a known vulnerability in Microsoft Equation Editor. The presence of \objupdate further suggests that the OLE object is designed to be activated automatically, leading to arbitrary code execution. The document body is obfuscated and does not provide further clues.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005bbe.bin rtf-objdata-decoded RTF \objdata at offset 0x5BBE 1763 bytes
SHA-256: a1f4f7b831b117e50c78a42a360689277ce3af84d483364f45a7df818380076d

Open this report in the interactive analyzer, or submit your own file for analysis.