Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5a9dba0fc2a6d0a2…

MALICIOUS

RTF / .DOC

131.6 KB First seen: 2023-07-06
MD5: c4794418f4f9af91ea4a8c222e3bd352 SHA-1: 48d40ae68eafa9388bb061371982c725a853b52b SHA-256: 5a9dba0fc2a6d0a2e9cbac0bc774059d329d36c8308ac05882146a8362374fd5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.001 User Execution: Malicious Link

The sample is an RTF document that leverages the Equation Editor vulnerability, indicated by the 'RTF_EQUATION_EDITOR' and 'RTF_OBJUPDATE' heuristic firings. This exploit is commonly used to deliver secondary payloads. The presence of OLE object data further supports the exploitation vector.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000119a.bin
935875bb637e6d96435a0e25ba69bfd4f4bbe22de763fed892f87cad61cdcfba		 rtf-objdata-decoded RTF \objdata at offset 0x119A 35637 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.