Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 5e01041dd743da83…

MALICIOUS

RTF / .DOC

86.9 KB
MD5: feb6e59fff619a84e6e391a4c95a6650 SHA-1: ce34cf474caabe64404bcf26bf813bcb70a1d84c SHA-256: 5e01041dd743da83e0034a09b3c450b78d1a16ffaa916ff491bf8cd90776dbe7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing an embedded OLE object that leverages a known vulnerability in the Equation Editor component. The heuristics indicate that \objupdate forces OLE activation, which is a common technique for exploiting this vulnerability to achieve arbitrary code execution. This likely serves as a dropper for a secondary payload, although no specific download URLs or further execution details were extracted.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c06.bin
b4956006cb35caa56171009231180f9a3f4ba4a0ec7050a75a67926ab81b438b		 rtf-objdata-decoded RTF \objdata at offset 0xC06 1564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.