Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2ce55497d0c655d5…

MALICIOUS

RTF / .DOC

45.1 KB
MD5: a8c5dae9b56580be14e5c7b2fdd941ee SHA-1: 2a1b0edfba33c8c563897ceacadd3af5495fe9ef SHA-256: 2ce55497d0c655d5cf3bcfe086bbc8e1a42bad7e01c6625d068e8e184cab7fc2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains embedded OLE object data, specifically triggering heuristics related to the Equation Editor vulnerability. The \objupdate heuristic indicates that the embedded object is designed to be activated automatically, which is a common technique for exploiting this vulnerability. This exploit likely leads to the execution of a secondary payload, although no specific download URLs or scripts were extracted from this sample.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000e40.bin
0a45b7bde96c4a652b585f41bf4ab661261bd57494d85a14cbb21d674f927b77		 rtf-objdata-decoded RTF \objdata at offset 0xE40 1470 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.