Malicious RTF — malware analysis report

Static analysis result for SHA-256 3cad854eda956373…

MALICIOUS

RTF

12.6 KB First seen: 2023-02-23
MD5: 4b3501435442bb8f881f2bcb42131653 SHA-1: ddb0fbaf344958d5469bdc6f4143a1f88278243a SHA-256: 3cad854eda95637323863a0bdb6b13dd7865ff83aa3a66d97fe55b693be98696
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter T1566 Phishing T1566.001 Phishing: Spearphishing Attachment

The file is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor vulnerability. The presence of \objdata and \objupdate heuristics indicates that the document is designed to exploit this vulnerability, likely to download and execute a secondary payload. No specific family could be identified, but the attack pattern is consistent with exploit-laced documents.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000011a0.bin
60ecb523466d27f677f292e80ca320b406a5770433ba2ef8c5604adf7ed09fcd		 rtf-objdata-decoded RTF \objdata at offset 0x11A0 1776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.