Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 305a242832d3835e…

MALICIOUS

RTF / .DOC

1.20 MB
MD5: f6e37e1a86d9ef77572c643e4bcc263a SHA-1: 34e607ed918ee668c2bd73fdf6c4f438de860dc6 SHA-256: 305a242832d3835e3960a83d2025b8b8ff26059a3915780f5f1eb85d121db9e4
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an RTF document that contains OLE object data, specifically leveraging the Equation Editor. Heuristics indicate that the Equation Editor payload is decoded and is a PE file, suggesting it's designed to download and execute a second-stage payload. The excessive hex data within the OLE object further supports the presence of a hidden payload. No specific family could be identified, but the attack pattern is consistent with exploiting Equation Editor vulnerabilities for initial payload delivery.

Heuristics 6

  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1252KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000007b9.bin
3d16241d3c3ce9428876efa144e9f5c119e1297b44a18c9f1753649564164a4f		 rtf-objdata-decoded RTF \objdata at offset 0x7B9 626420 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.