Malicious RTF — malware analysis report

Static analysis result for SHA-256 24c3c8fc3a042063…

MALICIOUS

RTF

83.0 KB First seen: 2024-09-22
MD5: 6584d78630c4842b775ead6ce3010211 SHA-1: 91b34cb911ffe4a2e8bdfd16a1411276de11e923 SHA-256: 24c3c8fc3a0420632056016cba54ad89e88b294ae3d3466b8727098fb74d5258
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample is an RTF document that leverages a known vulnerability in the Equation Editor component. The heuristics indicate that the RTF contains OLE object data and uses \objupdate to force OLE activation, strongly suggesting exploitation for code execution. The specific exploit (RTF_EQUATION_EDITOR) points to a common delivery method for malware.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ff4.bin
15a6295f9a54fa4d444000e422817f818c05aee1aad3a81b22cf35bcfccca5fc		 rtf-objdata-decoded RTF \objdata at offset 0x1FF4 1608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.