Malicious RTF — malware analysis report

Static analysis result for SHA-256 3107226ba941337a…

MALICIOUS

RTF

92.9 KB First seen: 2024-09-22
MD5: c496e9e3167af07c0c305a267d462140 SHA-1: 83699485e791c682b9471838b1772641fdf727e9 SHA-256: 3107226ba941337a466409303e8ccc0047319e7622c3f35b5b350fc15c9b1f9d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains OLE object data and triggers an objupdate event, indicating it attempts to activate embedded objects. The critical heuristic firing for RTF_EQUATION_EDITOR specifically points to a known vulnerability in the Equation Editor component, which is commonly exploited to achieve arbitrary code execution. This technique is often used as a delivery mechanism for further stages of an attack.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000013fb.bin
1d402da0f57ef22818c16b3296bd0a5441cb32ddb21bcc67f2c925dedfdf6352		 rtf-objdata-decoded RTF \objdata at offset 0x13FB 1802 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.