Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 27db143d965a2403…

MALICIOUS

RTF / .DOC

4.3 KB
MD5: 3505f7ddd23dd1d665ed10b2db509830 SHA-1: f7ea99c8352abe648e5a14e256de81a56f8d3996 SHA-256: 27db143d965a24032772a2055dfb635af74c57c92070839990ac27d08ccd12cc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.002 Component Object Model Hijacking

The RTF document contains embedded OLE object data and triggers an ".objupdate" command, indicating an attempt to exploit the Equation Editor vulnerability. This is a common technique for delivering malicious payloads. No scripts were extracted, and the document body was minimal, but the heuristics strongly suggest exploitation for code execution.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000cd.bin
db5cb41a2fc881a359f195ad729e3f5957cfac3311de0dda539c7a2a8c3b322c		 rtf-objdata-decoded RTF \objdata at offset 0xCD 1947 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.