Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6ab55413aa0c18a0…

MALICIOUS

RTF / .DOC

13.0 KB
MD5: bdf4feb317e41d2c450e006e90836e88 SHA-1: ebeeee09fea49d5b4f4bf2b6869459010091234e SHA-256: 6ab55413aa0c18a004f34f3e935980f0682205d1c02227addbb35d228f9aa86b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor. The \objupdate directive indicates that the embedded object is intended to be activated, likely to exploit a known vulnerability (CVE-2017-11882) for client execution. This technique is commonly used to deliver secondary payloads, hence the high confidence in an attack pattern involving exploitation for execution.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001ec2.bin
8a698c4e98979be59ce04b935e3014225e229ead1211a21a557d4e10bc28810c		 rtf-objdata-decoded RTF \objdata at offset 0x1EC2 1991 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.