Malicious RTF — malware analysis report

Static analysis result for SHA-256 4730c3b0908ef85c…

MALICIOUS

RTF

68.0 KB First seen: 2024-10-15
MD5: cfe1e071f17323cecb8f5970cda07036 SHA-1: 9dfa338c20480de2c42eef74f2154084104b2065 SHA-256: 4730c3b0908ef85cd06e04033146fef6bb270c54db06d7f6f864faf270a6464a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 Malicious Link

The sample is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor vulnerability. The ".\objupdate" directive indicates that the embedded object will be activated automatically upon opening the document. This technique is commonly used to deliver a secondary payload, such as a downloader or backdoor, by exploiting known vulnerabilities in the Equation Editor component.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014e6.bin
5e46e8dff94b6f4fd090dc53ce0c7ace3dd99fb28394b3a26c0704e2db50616b		 rtf-objdata-decoded RTF \objdata at offset 0x14E6 1412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.