RTF / .DOC malware analysis — malicious · 32dd98e27c7d6f32

MALICIOUS

RTF / .DOC

55.4 KB Created: 2022-01-12 18:26:00

MD5: e1b8a7bcacfea61566e29e4427c1f7a3 SHA-1: 79423719ed8f1caabc6f089366b2c2832e8ff189 SHA-256: 32dd98e27c7d6f322d44ca2c1986b4ff8e28898a1cf6a99fe2fe4f4845a6c442

162 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document that leverages the Equation Editor vulnerability (CVE-1997-2448, also known as '1201') to achieve code execution. The presence of OLE object data and specific Equation Editor CLSIDs strongly indicates this exploit. While no specific second-stage payload URL was extracted, the exploit's nature suggests it's designed to download and run additional malicious content. The benign URL found is likely a red herring or part of the exploit's structure.

Heuristics 5

Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
Equation Editor object class critical RTF_OBJCLASS_EQUATION

Object class 'equation.3' references Equation Editor
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00004dfd.bin` `e4c48a228f10ca0c0f177a8a1ff5ecca679845deca7ef9791a5d97b75298345b`	rtf-objdata-decoded	RTF \objdata at offset 0x4DFD	7868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.