Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3edec7c5ddec5c10…

MALICIOUS

RTF / .DOC

4.7 KB
MD5: 05b7b53245972c8e879a68ee1ee7f1c4 SHA-1: 34ac5cdd8f9ca831a11823aa9f7a7f65afec5584 SHA-256: 3edec7c5ddec5c10d18e0812321ed4eaefcf011887d3758c2350f3867b9c0194
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data and triggers heuristics related to Equation Editor exploitation. Specifically, the RTF_EQUATION_EDITOR and RTF_OBJUPDATE rules indicate that the file is designed to leverage a vulnerability in the Equation Editor component, likely to achieve arbitrary code execution upon opening. The presence of OLE object data further supports this attack vector.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000c2.bin
78ae7159d5aca510c268c496514c2bcdaf6086e72b1ad5117b68d3a68113319a		 rtf-objdata-decoded RTF \objdata at offset 0xC2 2075 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.