Malicious RTF — malware analysis report

Static analysis result for SHA-256 4e22abff39b796b7…

MALICIOUS

RTF

24.6 KB First seen: 2023-06-03
MD5: ff889dabeb89be61eb1ece635fb12ec2 SHA-1: 74b300165f094df3903bbf34cd09a3cbd5bc9328 SHA-256: 4e22abff39b796b7262d7b9873041310b499b287a42b6253aa9576b6ec8587bf
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data and specifically triggers heuristics related to Equation Editor exploitation and automatic OLE activation. This strongly suggests the file is designed to exploit a known vulnerability in the Equation Editor component of Microsoft Office. The primary goal is likely to achieve code execution to download and run a subsequent stage, though no specific payload or download URL was directly extracted from this sample.

Heuristics 4

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010a0.bin
67c5828988eb8c700df6cb35c92429b6cbf6bb247258c849ebf97ce3eff33857		 rtf-objdata-decoded RTF \objdata at offset 0x10A0 4184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.