Malicious RTF — malware analysis report

Static analysis result for SHA-256 67ad0f57895b9963…

MALICIOUS

RTF

35.2 KB First seen: 2024-06-06
MD5: 56b4ddf6c247124f9bc633b06b169a84 SHA-1: f6d0dfca950ccd1fcb92ed511afba92db7edc843 SHA-256: 67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File Execution: User Execution: Malicious File

The RTF document contains OLE object data and triggers an object update, strongly indicating the exploitation of a vulnerability related to the Equation Editor. The presence of `RTF_EQUATION_EDITOR` and `RTF_OBJUPDATE` heuristics points to a known exploit vector. The embedded OLE object likely serves as a dropper for a secondary stage, although the specific payload could not be determined from the provided evidence.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b9d.bin
32b19b8ae0785d1b2dccb4aea7db71706f825ead71c9a797573bff477a8e4ab3		 rtf-objdata-decoded RTF \objdata at offset 0xB9D 1799 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.