Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2b618c4f2fcc0536…

MALICIOUS

RTF / .DOC

51.8 KB
MD5: d6d1eec7e84e431b37b2062742ffee3a SHA-1: ddabc1277508e28cd6b74657fe2a32fb7f7cd12e SHA-256: 2b618c4f2fcc0536476cf0f66b3153d19b96deca783821804f0a87b6e633308a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1566.001 Phishing: Spearphishing Attachment

The sample is an RTF document that contains embedded OLE object data and triggers heuristics for Equation Editor exploitation and OLE object activation. This strongly suggests the file is designed to exploit a known vulnerability in the Equation Editor component to achieve arbitrary code execution. The presence of the Equation Editor CLSID and the extobjupdate directive are key indicators of this attack vector. The likely intent is to download and execute a secondary payload, although no specific URLs or scripts were extracted to confirm this.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018d3.bin
3275fc3852490863b97e0ea08ef6d76d34f5370c60f2c5e6628252d12f5cfab4		 rtf-objdata-decoded RTF \objdata at offset 0x18D3 4685 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.