Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2ada03cc7424b371…

MALICIOUS

RTF / .DOC

94.7 KB
MD5: e29c7b5122f5ec7bca035faa936bfc02 SHA-1: 2b2ca88d4f6a2d1ead1cefdceb25f194b27e0c7b SHA-256: 2ada03cc7424b371b671f5c63e3c5644d747368287f6c68145e76de163967286
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that leverages the Equation Editor vulnerability (CVE-2017-11882) via embedded OLE object data. The ".objupdate" directive forces the activation of this embedded object, triggering the exploit. This is a common delivery mechanism for initial access, aiming to download and execute a second-stage payload. No specific family could be identified from the available heuristics.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001099.bin
4ba62fef51f64cbdc05d185a06373bd947ac98a91e9441ea190a631c35a8ca44		 rtf-objdata-decoded RTF \objdata at offset 0x1099 1968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.