Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 49c5c0e78ba0d3c5…

MALICIOUS

RTF / .DOC

2.26 MB
MD5: 10e63fc0a6c20475b5fe9a2e417acd9d SHA-1: cdf4ee152f74df23fd8ed5001fcc47f8a74211b4 SHA-256: 49c5c0e78ba0d3c5fa27e03d09abe2b4af0b306823c16f50d393fc45f7181468
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing an embedded OLE object that exploits the Equation Editor vulnerability (CVE-2017-11882). The embedded object is designed to execute a malicious script. The script's purpose appears to be downloading and executing a second-stage payload, as indicated by the reconstructed string 'eval(((( "replace(WScript.Script.FullName,WScript.Script.Name, """" )"""" ) ) ) )'. Further analysis of the script reveals attempts to check for available disk space and potentially write to the registry, though the exact actions are obfuscated. The presence of the Equation Editor exploit and the script execution strongly suggests a malicious intent to compromise the user's system.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001116.bin
61e9154037dac8b5fbf28a0ed0848737154e69ab52485a617e996e571f1bf8c0		 rtf-objdata-decoded RTF \objdata at offset 0x1116 27145 bytes
objdata_01_off0001cd33.bin
7b044241719dc498d7192da41c089b65b5b58d1276cabad9af124a69d1f89421		 rtf-objdata-decoded RTF \objdata at offset 0x1CD33 483334 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.