Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 1fd6569eae2820af…

MALICIOUS

RTF / .DOC

37.6 KB First seen: 2023-02-22
MD5: ac61d636809fd4617b6fa6b5a099a38c SHA-1: 9e3bb29de5667a90fe0df822ec27a0f4a6a012ed SHA-256: 1fd6569eae2820afd99e6ba741c6f4c69f61004e617e9e0cccf54c4df93d6865
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing an embedded OLE object, specifically identified as an Equation Editor exploit. The presence of \objupdate indicates that the object is designed to be activated automatically upon opening or when the user enables editing, a common lure. This suggests the document is a dropper or exploit delivery mechanism.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000048f4.bin
8659c530c1a036f242b4f917b1ece763a58a7b576046435699f9f1f499daa675		 rtf-objdata-decoded RTF \objdata at offset 0x48F4 1450 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.