Malicious RTF — malware analysis report

Static analysis result for SHA-256 6ecfb6a3d0495bea…

MALICIOUS

RTF

1.57 MB First seen: 2022-09-13
MD5: ef6a4a282c4097017c7b5b4d66ff89b1 SHA-1: a464c7bb02330b4bae39f389cb2e7c3705284390 SHA-256: 6ecfb6a3d0495bea52194c006a57aff18c7d54b6c8edc8dbd10c5506350010e6
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The RTF document contains an embedded OLE object with a ProgID indicative of Equation Editor, specifically triggering the CVE-2017-11882 vulnerability. The presence of \objupdate further suggests an attempt to force OLE activation, leading to arbitrary code execution. No specific malware family could be identified, but the exploit mechanism is clear.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000129e.bin
5caa9c38a19347fe0e33e99ac1810414831f765b8912ba5e63aaa8894fa44411		 rtf-objdata-decoded RTF \objdata at offset 0x129E 81922 bytes
objdata_01_off0002f420.bin
f7b929ce489dfb0e55f3383a35fdd691eace09a148b71bdce40ecf74b197fdc5		 rtf-objdata-decoded RTF \objdata at offset 0x2F420 346461 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.