Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5ce28d3d12ca36c3…

MALICIOUS

RTF / .DOC

246.6 KB
MD5: 55481a69ca2ce127f6430178ef88cfa5 SHA-1: 8f9dfb0e7c22b133c3b42feea212641c638c34a4 SHA-256: 5ce28d3d12ca36c373458e5c51b8918f89e9cae83ff047b2a070eef93d95ae11
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of exploiting the CVE-2017-11882 vulnerability via Microsoft Equation Editor. The presence of RTF_EQUATION_EDITOR and CVE_2017_11882_ACTIVATION_RELATED heuristics strongly suggests this exploit. The embedded OLE objects and the ".objupdate" directive further confirm the attempt to trigger the exploit for client execution, likely delivered as a spearphishing attachment.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000ded.bin
d19b293406a0a4a6324c6dc7cb6f358866d97e723e789a3fc92c32be28744ec9		 rtf-objdata-decoded RTF \objdata at offset 0xDED 63224 bytes
objdata_01_off0003c70f.bin
46d3b6aac8b42a2f18baaa943e2730c85ef326081ff213fb48610ca8a4698200		 rtf-objdata-decoded RTF \objdata at offset 0x3C70F 1078 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.