Malicious RTF — malware analysis report

Static analysis result for SHA-256 4994e0b1532ec815…

MALICIOUS

RTF

2.9 KB
MD5: a32c8ab0f938fdf7f40ed96790952396 SHA-1: b8454a38017418c8f3260477fcb4b6308b3a162f SHA-256: 4994e0b1532ec815a5c842d5bd42454c2bf4e99adc0638924545230dda11bc24
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF file contains OLE object data and specifically triggers critical heuristics related to Equation Editor exploitation. The \objupdate directive further indicates that the embedded OLE object is designed to be activated automatically, likely leading to the execution of a malicious payload. This points to a classic exploit delivery mechanism targeting the Equation Editor vulnerability.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000068.bin
c08aa7508a92c25224ad6292c6f4afbe509f6e5ae2eddca829acbd8cc29bad6e		 rtf-objdata-decoded RTF \objdata at offset 0x68 1357 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.