Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 635a7e3de331fa8b…

MALICIOUS

RTF / .DOC

19.5 KB
MD5: c1d4aa1bce1c523f67c8080f09c27ad0 SHA-1: 16493ffc984903a6f9d3a097636c2c5bfca178a7 SHA-256: 635a7e3de331fa8b5092fc0e5d8bc2eae613defeecc345554be2ba632e2dd378
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing embedded OLE objects and specifically triggers heuristics for the Equation Editor vulnerability. This indicates a likely exploitation attempt to gain execution on the victim's machine. The presence of ".objdata" and ".objupdate" sections further suggests the embedding and activation of malicious OLE objects. The primary attack vector is likely spearphishing, with the RTF file acting as an attachment.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d00.bin
afc1ef8276aea15411915ce7d7bbac60a46ff705b0cfcbe67b8740f81314335b		 rtf-objdata-decoded RTF \objdata at offset 0x1D00 1609 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.