Malicious RTF — malware analysis report

Static analysis result for SHA-256 29894cfea1f1f742…

MALICIOUS

RTF

118.5 KB First seen: 2024-07-18
MD5: e5102c5df398cf5130a0367e6b2a37c3 SHA-1: 4ec1eb316c8fbe5e71ab162ef86ed5e9929e3750 SHA-256: 29894cfea1f1f742f90e595a4b0e19b3de66d14eef3209331d653b5f49da8c62
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The critical RTF_EQUATION_EDITOR heuristic indicates the file exploits a known vulnerability in Microsoft Equation Editor. The presence of OLE object data and an update trigger further supports this. The likely goal is to download and execute a secondary payload, as suggested by the combination of exploitation and object embedding.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d8f.bin
b492612c26e3c04ee51c31bde3b1f1015bb2a59c90ec832036738b7a364da830		 rtf-objdata-decoded RTF \objdata at offset 0x1D8F 2301 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.