Malicious RTF — malware analysis report

Static analysis result for SHA-256 61f88a66b9c446e2…

MALICIOUS

RTF

21.3 KB First seen: 2020-07-24
MD5: f048f9bfe278b3927196e84fa1c249a0 SHA-1: 30d525cfcf58afe1b19adfd46f3a328eaf6414aa SHA-256: 61f88a66b9c446e2f9692913541fb41bd42e8ecb3649ae7c2921a6d585d9d169
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains embedded OLE object data and triggers an ".objupdate" event, indicating an attempt to activate embedded objects. The critical heuristic "RTF_EQUATION_EDITOR" specifically points to a known vulnerability in Microsoft Equation Editor, which is commonly exploited to achieve arbitrary code execution. This suggests the document is designed to exploit this vulnerability to download and run a secondary malicious payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d4f.bin rtf-objdata-decoded RTF \objdata at offset 0x1D4F 1578 bytes
SHA-256: 35da24f3565355d2896fa23429355018b26d1da51a03587862e111383d84713c

Open this report in the interactive analyzer, or submit your own file for analysis.