Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4d5d268fd23b8943…

MALICIOUS

RTF / .DOC

4.1 KB First seen: 2022-07-18
MD5: 9508882ec5f5fb57319fb922a378f1be SHA-1: 8489146c7c321f412f78fe622f76685c634a64d2 SHA-256: 4d5d268fd23b8943243cf79a2130799b7e3ad14a627bedc61e01713e50d35f2f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data and triggers an ".objupdate" call, indicating an attempt to activate embedded content. The critical heuristic firing for 'RTF_EQUATION_EDITOR' specifically points to a known vulnerability in Microsoft Equation Editor, which is commonly exploited to achieve arbitrary code execution. This technique is often used as a first stage to download and execute further malicious components.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000007f.bin
f9c99f67f35a6e3d196c90dff1bc1fb5d2acbcab06a587b4b4c4f4555b054a7e		 rtf-objdata-decoded RTF \objdata at offset 0x7F 1653 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.