RTF / .DOC malware analysis — malicious · 6097de45c0c39087

MALICIOUS

RTF / .DOC

18.7 KB First seen: 2023-02-01

MD5: 6218fa7e494e039ea3c71cd81d0e23d0 SHA-1: 66feae9d5e9b040a1beeba40b0bae56b05a05c32 SHA-256: 6097de45c0c390875a3192b79f58b57d05592addaeadfd332c928f4d92494b6e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an RTF document containing an embedded OLE object with an Equation Editor CLSID, triggering critical heuristics for Equation Editor exploitation. The ".objupdate" directive indicates that the OLE object is designed to be activated automatically. This suggests the document is a lure designed to exploit the Equation Editor vulnerability (CVE-2017-11882) to achieve code execution, likely for downloading and running a secondary payload.

Heuristics 4

Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000fc3.bin` `9e9df56e86eba7af13a3207763d3a00d2bceb182cc5b40b592dfe315ec7330be`	rtf-objdata-decoded	RTF \objdata at offset 0xFC3	3678 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.