Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4d9d83092b6c9fed…

MALICIOUS

RTF / .DOC

72.4 KB First seen: 2022-03-18
MD5: 22d3cd53d6f5cd6b464373ffd2ecd267 SHA-1: 5c05bf07e08726bde27f79ce3889c0e6946ae783 SHA-256: 4d9d83092b6c9fed5ae7573d6f98e1c7853cc1674df8641fe4e7ab87d9a2ff4f
135 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains embedded OLE objects and specifically triggers the Equation Editor vulnerability, indicated by the RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristics. The ".bin" file extracted from the OLE object data likely contains the exploit payload. The ".bin" file is 24638 bytes in size and is likely responsible for the malicious verdict.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000d5.bin
d2a0eebf5f112723446cc81f5d17639e5ff4689d25ce275c06c62acce874d0ed		 rtf-objdata-decoded RTF \objdata at offset 0xD5 24638 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.