Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 42e5a299ec97c49a…

MALICIOUS

RTF / .DOC

12.6 KB
MD5: 314baeb98fa59830a1e64f3286b1dcbb SHA-1: ffa6d5ddc347c342738f209167b75342dc95a556 SHA-256: 42e5a299ec97c49aed10f7e3cf2855264727618511015cb9528b3604053e1e90
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The file is an RTF document containing embedded OLE objects, specifically triggering critical heuristics for Equation Editor exploitation and OLE object updates. This indicates the document is designed to exploit a vulnerability, likely CVE-2017-11882, to achieve code execution. The embedded OLE object data, though truncated, suggests the potential for downloading and executing a secondary payload, aligning with common malware delivery techniques.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000bc4.bin
138a4ed2b8255d9b32fa1fb075ac57e76da5d51f97cfb3801f2d2adff6eef422		 rtf-objdata-decoded RTF \objdata at offset 0xBC4 1267 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.