Malicious RTF — malware analysis report

Static analysis result for SHA-256 70ed1ddba58e7b5b…

MALICIOUS

RTF

56.4 KB First seen: 2025-10-01
MD5: 5ebbb75869bd013ad187a52247f5f35a SHA-1: 0aef9e6b037ad32f12b2eef4ee0b3b21329c8995 SHA-256: 70ed1ddba58e7b5be093ece536035d9b7fd540237b50d816baa00d2772672257
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object that leverages a known Equation Editor vulnerability (RTF_EQUATION_EDITOR). The ".objupdate" directive forces the activation of this object, leading to code execution. The extracted objdata artifact is likely the payload or a component thereof. The exact nature of the secondary payload is not discernible from the provided evidence, but the exploit pattern strongly suggests a downloader or dropper.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001731.bin
e82f2e80de43894ce6c539a0a3561505623898dc61bdb54da6b03f4b6e51ce40		 rtf-objdata-decoded RTF \objdata at offset 0x1731 1930 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.