Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4e08d9b366b5dce8…

MALICIOUS

RTF / .DOC

4.5 KB
MD5: af89de8f13c914f9384ea984bac7ba50 SHA-1: 148f7bc2066a9888d929adbc980d3ad3a50ba433 SHA-256: 4e08d9b366b5dce8ee287e9d7b04c837bee6a6d09a18faf500026e12e7e90846
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF file contains multiple indicators of exploitation targeting the Equation Editor, including OLE object data and automatic linking. The presence of ".objupdate" suggests an attempt to force OLE activation, likely leading to the execution of a malicious payload. The file is classified as malicious with a high risk score, indicating a high likelihood of exploit execution.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000ef.bin
3af5e61cff5d008b4ed7ad9f19ea522e9bfd3a6db761f3720a87163b6ef1888b		 rtf-objdata-decoded RTF \objdata at offset 0xEF 2024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.