Malicious RTF — malware analysis report

Static analysis result for SHA-256 313153794cb2d8fb…

MALICIOUS

RTF

14.9 KB First seen: 2020-09-15
MD5: 3725d86ec57e6b6c881a650376c5f109 SHA-1: 7875ce1aa6c9c877419db6c259fc220443e5d17e SHA-256: 313153794cb2d8fba9ca9ee6facab812f5150df9214b611f2d286add9d6a4556
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that decodes to a Portable Executable (PE) file, indicative of an exploit. The presence of the Equation Editor heuristic and the \objupdate directive strongly suggests exploitation of a vulnerability within the Equation Editor component to achieve code execution. The decoded object, objdata_00_off000010f1.bin, is likely the second-stage payload.

Heuristics 3

  • Decoded Equation Editor payload + PE critical CVE likely RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010f1.bin rtf-objdata-decoded RTF \objdata at offset 0x10F1 1581 bytes
SHA-256: 671c938587ef85c306b34e392be39042e1b80a099ea70d23fdaf34dc936f0225

Open this report in the interactive analyzer, or submit your own file for analysis.