Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 6c1a5e39b662d240…

MALICIOUS

RTF / .DOC

44.4 KB
MD5: 0137b6f8e5ed37bc5d091eb6e6736426 SHA-1: 475399c7835b4be807b377826e7f7c8cfd54cb0f SHA-256: 6c1a5e39b662d2400dc4077f6913f5c7f43f7c64b2afcd5c1b51f41d26a0c5d7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains embedded OLE object data. Critical heuristic firings indicate the presence of the CVE-2017-11882 Equation Editor vulnerability, which is commonly exploited to achieve arbitrary code execution. The ".objupdate" heuristic further suggests that the embedded OLE object is configured to activate automatically, likely to trigger the exploit. The document body is heavily obfuscated and unreadable, providing no direct clues to the payload's intent, but the exploit itself strongly suggests a malicious downloader or dropper.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001024.bin
7e4420242ae0b09e5521b7074e55987ebc88a4d44cd6bb43c2dfe0e13ea29a7f		 rtf-objdata-decoded RTF \objdata at offset 0x1024 4155 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.