RTF malware analysis — malicious · 5136e25d14a49076

MALICIOUS

RTF

11.1 KB

MD5: 5608fd8f35d6ba85c260b794cee500ad SHA-1: 301b7ad778f8209dfd290b33ffd636442e6f0e11 SHA-256: 5136e25d14a490767eedb555649937acaac871cf5df5744992d4cf35b1b03852

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing an embedded OLE object, specifically targeting the Equation Editor vulnerability. The presence of RTF_OBJDATA, RTF_OBJAUTLINK, RTF_OBJUPDATE, and RTF_EQUATION_EDITOR heuristics strongly indicates exploitation of the Equation Editor component. This technique is commonly used to deliver a secondary payload, hence the attack pattern focuses on code execution and payload delivery.

Heuristics 4

Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR

RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000017d5.bin` `5c3cc5e97cb21ea0c7029fab915d2162b2081b9c8309abb218d20c3ed3cbf25d`	rtf-objdata-decoded	RTF \objdata at offset 0x17D5	1655 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.