Malicious RTF — malware analysis report

Static analysis result for SHA-256 531d8782bae4b4ba…

MALICIOUS

RTF

91.8 KB First seen: 2024-08-22
MD5: 21169a44e4aa7cde16401b3d0dab16aa SHA-1: e85c977db7fdc1a2ff99f17ac966a9f60ca30721 SHA-256: 531d8782bae4b4babfa770b4acdf907dee78744f79452099e6f0ac5afff96c07
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document that contains OLE object data, specifically targeting the Equation Editor vulnerability. The ".objupdate" directive forces OLE activation, indicating an attempt to execute embedded content. This likely leads to the download and execution of a second-stage payload, as suggested by the critical heuristic firing for RTF_EQUATION_EDITOR.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001251.bin
8a4d183c7a35b958e8df14d4505afe8e20f277e4a51fe293d5aa92619590fa0b		 rtf-objdata-decoded RTF \objdata at offset 0x1251 1921 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.