Malware Insights
The file is an RTF document containing an embedded OLE object that leverages the Equation Editor component. Critical heuristics indicate the presence of Equation Editor CLSID and object class, strongly suggesting an exploit targeting this component. The RTF_OBJDATA and RTF_OLE10NATIVE_STREAM heuristics further confirm the presence of embedded object data. While no specific malicious URL or script was directly extracted, the exploitation of the Equation Editor is a common initial access vector for delivering secondary payloads. The benign URL found is likely a red herring or part of the exploit structure.
Heuristics 6
-
Ole10Native stream in RTF OLE object high RTF_OLE10NATIVE_STREAMRTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
-
Equation Editor CLSID critical RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
Equation Editor object class critical RTF_OBJCLASS_EQUATIONObject class 'equation.3' references Equation Editor
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000543d.bin0aae1a66fb885142f0d9f9ac0ae75377e853863f3e5bab5fc7335e62b8ef5d0d |
rtf-objdata-decoded | RTF \objdata at offset 0x543D | 7972 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.