Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 695852fbf40810c2…

MALICIOUS

RTF / .DOC

78.0 KB
MD5: 13d8c6fac85c9bc52cdd1b3f03acdf2c SHA-1: 3cd20046f06fcba30e040a3e52ed2e10df9b3f84 SHA-256: 695852fbf40810c2c317bcb18e4851050b813d6a99fc99b4d7a9a258c0e93b84
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains an embedded OLE object and triggers an update via \objupdate. Heuristics indicate a critical finding related to the Equation Editor, suggesting exploitation of a known vulnerability (CVE-2017-11882) for client execution. The presence of OLE object data further supports this attack vector. The document body is heavily obfuscated and does not provide direct clues to the payload's intent.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000583.bin
afc5b1bddb9d55e351a3097b0deef8e3902ab37e7d1532f10097930f1982e41f		 rtf-objdata-decoded RTF \objdata at offset 0x583 1674 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.