Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 374425d00e155fed…

MALICIOUS

RTF / .DOC

101.3 KB
MD5: 1a6aecfed00875c68600bde49d057334 SHA-1: 11bebf0cdd2970def27c796a649be21ac9da1fe2 SHA-256: 374425d00e155fed9a1f2f6afc0a1b9cfca4b1c3e7c53a1e78bc6281300f0746
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document that leverages the Equation Editor vulnerability (CVE-2017-11882), indicated by the RTF_EQUATION_EDITOR heuristic. The RTF_OBJUPDATE heuristic suggests that the embedded OLE object is designed to be activated, leading to code execution. The presence of OLE object data further supports this. The primary goal is likely to exploit this vulnerability to download and execute a secondary payload, although no specific download URL or script was directly extracted from the provided evidence.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b48.bin
6bf1a8a83a61c6467dcb187979b7339455ee41a7b898a4501cb6d030a58ba1dc		 rtf-objdata-decoded RTF \objdata at offset 0x1B48 4192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.