Malicious RTF — malware analysis report

Static analysis result for SHA-256 721339a36ab621f9…

MALICIOUS

RTF

12.0 KB
MD5: 71fffc7d15f4c34476a1d0db1d7a9ff3 SHA-1: 5bc511117f7a0fa74b864d2c7df1b7b547583434 SHA-256: 721339a36ab621f9aac5fb09e8e10d37e51149fddfd0d24f10b6761a45f456db
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document containing an embedded OLE object that exploits a known vulnerability in the Microsoft Equation Editor. The presence of \objupdate indicates that the object is designed to be activated automatically, leading to code execution. While no specific script was extracted, the exploit pattern strongly suggests the execution of a secondary payload, likely a downloader.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a72.bin
5c8c206069c1ede8b9af59bcb7c67995811df7c6c442eccfea8d7219c5b194a4		 rtf-objdata-decoded RTF \objdata at offset 0x1A72 1594 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.