RTF malware analysis — malicious · 415df6eced9ab10f

MALICIOUS

RTF

2.12 MB

MD5: 8722742e5c06fa177d89e333eb144672 SHA-1: 0e47b669b2e65a2feda0acdf07e654b358dacb2e SHA-256: 415df6eced9ab10f5acdc12b53746463692d9ba2e697dee481989300e4ae98e1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing embedded OLE objects, specifically triggering the Equation Editor vulnerability. The presence of \objupdate indicates an attempt to force OLE activation, which is a common technique for exploiting Equation Editor flaws. This suggests the file is designed to execute code upon opening, likely to download and run a secondary payload. No specific family could be identified.

Heuristics 4

Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR

RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000dea.bin` `c0e914b20a8f888b51d7967d931edbdb12503b41e28565453f2c50776f991dc3`	rtf-objdata-decoded	RTF \objdata at offset 0xDEA	55077 bytes
`objdata_01_off00031b8e.bin` `975d3a2f2f8b7195d4eb809b2a138db9dd3913fc730826171b11bd21fa93d9f8`	rtf-objdata-decoded	RTF \objdata at offset 0x31B8E	478829 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.