Malicious RTF — malware analysis report

Static analysis result for SHA-256 68b09a0c2cb71477…

MALICIOUS

RTF

687.8 KB First seen: 2021-06-17
MD5: 6c674deecb20b845df1c64182f2e53f7 SHA-1: 29d5925ee2e91b65a0e84aa8ee0805e857b4ca6e SHA-256: 68b09a0c2cb7147702a5e200c77d95e5ce006df063e692b7b528991fab98d698
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE objects and specifically triggers a critical heuristic for a split hex Equation Editor ProgID, indicating an exploit targeting this component. The embedded OLE objects, identified as objdata_00_off00000f58.bin and objdata_01_off0002aa71.bin, likely contain the exploit code or payload. The document body contains obfuscated JavaScript-like code, suggesting an attempt to execute further malicious actions, such as downloading a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f58.bin rtf-objdata-decoded RTF \objdata at offset 0xF58 49077 bytes
SHA-256: adffcd090aa95ddeede451a1fb02f74eff6c58bcc05018b1c4885f5c74aa2b41
objdata_01_off0002aa71.bin rtf-objdata-decoded RTF \objdata at offset 0x2AA71 130431 bytes
SHA-256: ea997585e88ef8fabc6b28529f7cb62db56327f3995d6a5d9d67dff3d4253a24

Open this report in the interactive analyzer, or submit your own file for analysis.