Malicious RTF — malware analysis report

Static analysis result for SHA-256 2f5cdaaf82594dc5…

MALICIOUS

RTF

14.2 KB First seen: 2019-05-10
MD5: e5c0ff4cf9b6f7b64e87b78bfa5e7492 SHA-1: 2291f8028f9d252e3995185e91e1003254a54199 SHA-256: 2f5cdaaf82594dc5709c1f053b3c70d97cb4a5ec68ed4378e99327753c4f1a92
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object with an Equation Editor CLSID, and an \objupdate directive that forces OLE activation. This strongly indicates exploitation of a vulnerability within the Equation Editor component. The decoded OLE object data is the most significant IOC, likely containing the malicious payload or instructions for its execution. No specific family could be identified.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000801.bin rtf-objdata-decoded RTF \objdata at offset 0x801 4133 bytes
SHA-256: 6fb1fde1d54f37d10de3391a1e4f5c322442304471d0e30b324be620b976b5b4

Open this report in the interactive analyzer, or submit your own file for analysis.