Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 324905a06c225e3f…

MALICIOUS

RTF / .DOC

4.0 KB
MD5: 18850ee78056e286b1b2fdc4ac5cee71 SHA-1: 900fc94adbab40baab24f5ca3094dd77294f46a0 SHA-256: 324905a06c225e3f6fb1a509f55044224c1bdecac3fc20a5f1c465a2730cad0e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The RTF document contains embedded OLE object data, specifically triggering the Equation Editor vulnerability. The \objupdate directive forces OLE activation, indicating an attempt to execute embedded code. This is a common technique for delivering malicious payloads via document exploits.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000091.bin
e8a82502279959681c7bf7b46f6042aab384064d7d117c7af253bda37bc462a4		 rtf-objdata-decoded RTF \objdata at offset 0x91 1794 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.