Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 42a82b5198d7fd52…

MALICIOUS

RTF / .DOC

31.1 KB First seen: 2023-05-05
MD5: 94167c7ed417035468f22aeffc07431a SHA-1: f0949fac7cfc6f1448f406f19cd8133a97ea7589 SHA-256: 42a82b5198d7fd5275b88d6f582d1d968b774e4a5c248bbd1d1432ec63260ed0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document that contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The ".objupdate" directive forces the activation of this object, which is a known method for executing arbitrary code. The embedded object data itself is the primary indicator of compromise, likely containing shellcode to download and execute a further stage.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00004d82.bin
b0c7b1f881e1aadcd606b3ecb1276ae8d91302b930f537880a092e49f44731d5		 rtf-objdata-decoded RTF \objdata at offset 0x4D82 2004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.