Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6abdbd8449c8a0c4…

MALICIOUS

RTF / .DOC

4.0 KB
MD5: 59ee76982ad652788cebec61aa888c99 SHA-1: 82efb458a9364050468305b8a25a9a05e0b78e60 SHA-256: 6abdbd8449c8a0c4c76397c02ab90d950a1a04b089f3ef027088184db4d81923
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing OLE objects and a split hex Equation Editor ProgID, indicating exploitation of a vulnerability within Microsoft Equation Editor. The \objupdate directive forces OLE activation, leading to arbitrary code execution. This is a common technique for delivering malicious payloads via email attachments.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000c1.bin
63f9aa1a0099bd953a5e3f9f0c0d2ce1e928795876d36ebc87bdd4e7b993a8d7		 rtf-objdata-decoded RTF \objdata at offset 0xC1 1812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.