Malicious RTF — malware analysis report

Static analysis result for SHA-256 245c6c636dd3522e…

MALICIOUS

RTF

4.4 KB
MD5: 0f37eced3632be1879abdd5881fa8d97 SHA-1: dcabcb8ed22bc6c70f187a10a9c80cdd34567277 SHA-256: 245c6c636dd3522e462463b1a5cb045c99176d3003f371d9df9b7c541f8d6f7c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects and specifically triggers heuristics related to the Equation Editor vulnerability. The presence of \objupdate indicates an attempt to force OLE activation, likely leading to the exploitation of a client-side vulnerability for code execution. This is a common technique for delivering malicious payloads via email attachments.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000c7.bin
5ea44e5115cda832f2c1e0ec74b8d1f6b6105ceca3f585bc5bae582a05af2bd4		 rtf-objdata-decoded RTF \objdata at offset 0xC7 2038 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.