Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 21c1dd0f94ae046f…

MALICIOUS

RTF / .DOC

61.6 KB
MD5: 4ef5c9db88516a460f31680116030c10 SHA-1: f71a851b6975dd423f1be4cb55d1b762d76259ff SHA-256: 21c1dd0f94ae046f2e9b4f60f95fd876aa7cde2784aba1d36f520466f8b6098f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File Execution: Malicious Attachment

The file is an RTF document that contains embedded OLE object data, specifically targeting the Equation Editor vulnerability. The RTF_OBJUPDATE heuristic indicates that the embedded object is designed to be activated automatically. This suggests the document is crafted to exploit the Equation Editor vulnerability (CVE-2017-11882) to execute arbitrary code, likely to download and run a secondary malicious payload. No specific family could be identified.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000004f7.bin
621fa5b90709da6111801e73311ed97be8a8a35b9d58206641974af6641930e7		 rtf-objdata-decoded RTF \objdata at offset 0x4F7 1618 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.