RTF / .DOC malware analysis — malicious · 32275d44d7fdea5d

MALICIOUS

RTF / .DOC

203.0 KB

MD5: 8014bc400616dc18ed9950bc71353593 SHA-1: 8e5fad96300c74e0164bf296354a2275c5291388 SHA-256: 32275d44d7fdea5da1cee4d13d7dbbae0ef5d1937b5b90cb887042cd0fd18579

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF document contains embedded OLE objects, specifically triggering critical heuristics related to the Equation Editor. The presence of \objupdate indicates that the embedded object is designed to be automatically activated upon opening the document, leading to the exploitation of the Equation Editor vulnerability. This is a common technique for delivering malicious payloads.

Heuristics 5

Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001d0a.bin` `13495a0573cf12362e23644f978362357e04ab633deb9e72fd9d6befd8ecd0b6`	rtf-objdata-decoded	RTF \objdata at offset 0x1D0A	3667 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.