Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 520a27ca424cc933…

MALICIOUS

RTF / .DOC

12.8 KB
MD5: fa9d0de3541696d4c4a10c7ea054a258 SHA-1: 91d1d2f6eb6aa676bfa6b434e8714ac3ab265da9 SHA-256: 520a27ca424cc933830ff81757b869faa27e08105eb2cd06c51bf71ec87dbc04
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The sample is an RTF document containing OLE object data, specifically targeting the Equation Editor vulnerability. The presence of \objupdate indicates an attempt to force OLE activation, likely to trigger the exploit. While no explicit script was extracted, the critical heuristic for Equation Editor suggests a download and execution chain. The IOC provided is a placeholder for the likely payload URL.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000175d.bin
1364f41d5e55d7867a2099d37d8b8795b2fe08554d805eb02eac0eaa4202af19		 rtf-objdata-decoded RTF \objdata at offset 0x175D 1744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.