Malicious RTF — malware analysis report

Static analysis result for SHA-256 3d05b9869dcf10fe…

MALICIOUS

RTF

70.7 KB First seen: 2023-08-10
MD5: 14ef57e9ea139aebe1fb5a81d66d4f08 SHA-1: e4b24c475bcd3b4fccc4a60ac23d8d0464822b1a SHA-256: 3d05b9869dcf10fe7eba50fac1e81427d2699b5514ccf06b497830aef6b59c5b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1059 Command and Scripting Interpreter T1059.005 Visual Basic

The sample is an RTF document that leverages a known vulnerability in the Equation Editor component. Heuristics indicate the presence of an OLE object that is automatically updated and activated, a common technique for exploiting Equation Editor vulnerabilities. The document body contains a lure instructing the user to 'Enable editing', suggesting the document is designed to bypass security measures and execute embedded malicious code. The specific exploit used is likely related to CVE-2017-11882, a known Equation Editor vulnerability.

Heuristics 5

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000036f2.bin
5759aa5c33d1cf81c8c87a7a4e50771666783ae94c833b436acf3ae8a20a61ce		 rtf-objdata-decoded RTF \objdata at offset 0x36F2 1671 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.