Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 4e1f12265105e830…

MALICIOUS

RTF / .DOC

22.9 KB
MD5: 8882b20af96f9de32ec1d3d7559f9526 SHA-1: 79082f73ba1fa398dca0fb0ec1d9b83303d6c4e4 SHA-256: 4e1f12265105e83094dddaa4c3180f2d948c3d1950628318e65526ab636b2a6d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.001 Malicious Link: Malicious Link

The sample is an RTF document that contains embedded OLE object data, specifically targeting the Equation Editor vulnerability. The \objupdate directive indicates that the embedded object will be activated automatically, likely leading to the execution of a secondary payload. The critical heuristic firing for RTF_EQUATION_EDITOR strongly suggests exploitation of this known vulnerability. While no specific family is identified, the attack pattern is consistent with a malicious document designed to exploit this flaw for initial execution.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d23.bin
e98dc457e372012f2ba78524e970ba8c68a2bcc608be8d0c968708359f21c09f		 rtf-objdata-decoded RTF \objdata at offset 0x1D23 1644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.