Malicious RTF — malware analysis report

Static analysis result for SHA-256 33abfa943812f5b4…

MALICIOUS

RTF

41.0 KB
MD5: 6d7b56e1f41ef241528ea39729e99f2b SHA-1: 40ca09f4b0146ddd9d4871d61c7289d7c0ce477f SHA-256: 33abfa943812f5b4b0a47256d548bf972fc79b800b6569b0106124637a3e90ae
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and triggers an exploit related to the Equation Editor, indicating an attempt to execute arbitrary code. The presence of embedded OLE object data suggests the file is designed to download and run a secondary payload. While no specific script was extracted, the exploit mechanism points towards a common technique for initial execution.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000008a0.bin
386f6e97426e15cb272218ca315f2d591bf80c37de059688adb3b9b9b5a6747e		 rtf-objdata-decoded RTF \objdata at offset 0x8A0 1491 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.