Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 41afdac25cf7c147…

MALICIOUS

RTF / .DOC

13.0 KB
MD5: acd50fe291319737f47191d2656e0dac SHA-1: 9205ab82034b8838dbeb977df19a4bb98b05001b SHA-256: 41afdac25cf7c1471c48fbebcef81dfb52ee7f1bc1e5aa1f58338a8439515c5e
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1566.001 Phishing: Spearphishing Attachment

The sample is an RTF document containing an embedded OLE object, specifically targeting the Equation Editor vulnerability (CVE-2018-0802). The critical heuristic firings and ClamAV detection strongly indicate exploitation of this vulnerability. The embedded OLE object and the ".objupdate" directive suggest an attempt to automatically activate the exploit upon opening the document, leading to the execution of a malicious payload.

Heuristics 5

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000011d8.bin
c43d3709dea00a5fd39930916a50dc7a6e37a85f7b214154e4e6d2011577791a		 rtf-objdata-decoded RTF \objdata at offset 0x11D8 4156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.