Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 71ec9af6675b1a94…

MALICIOUS

RTF / .DOC

860.6 KB First seen: 2022-09-19
MD5: dc5eab14880f013e84437830ff2863f1 SHA-1: 46692a99e901d57e620237f547fc8795bdb4b3a0 SHA-256: 71ec9af6675b1a94b64d88f1eb5f68cf1ab1e9ec3a9e87ee522c20c7cdd883bc
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing OLE objects, specifically triggering the CVE-2017-11882 vulnerability related to Equation Editor. The embedded OLE object is designed to activate and execute malicious code, likely a script, as indicated by the RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristics. The presence of VBA code within the document body further supports the execution of a malicious script.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001284.bin
9f03c955f7f18fcc896d76d712191ef584b6fc72e8a5033edfecb6a78c2a2ce6		 rtf-objdata-decoded RTF \objdata at offset 0x1284 81377 bytes
objdata_01_off0002efaa.bin
8241f500b6f66c0010a61e3e66b293b7e5e246b297d9c6a44403288dc5895294		 rtf-objdata-decoded RTF \objdata at offset 0x2EFAA 140710 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.