Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2367da990c6a5e3c…

MALICIOUS

RTF / .DOC

20.8 KB
MD5: 2e700061fc3a1c5118482ee507a28ba6 SHA-1: b6ee38e2a9f2149cb45a3b403273a0c25d7b092f SHA-256: 2367da990c6a5e3c91e81efca9f03a1bc6b63ee7c981f1fa6533d7f2c3fe21e7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The sample is an RTF document that contains embedded OLE object data and triggers an OLE activation via \objupdate. Crucially, it fires the RTF_EQUATION_EDITOR heuristic, indicating the use of a known vulnerability in the Equation Editor component. This suggests the document is designed to exploit this vulnerability to download and execute a secondary payload, likely leading to further system compromise.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000019af.bin
c95d48b1e80c87094ef1528b999955738593344df995d76c5ad281011580db1d		 rtf-objdata-decoded RTF \objdata at offset 0x19AF 1490 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.