Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 725b12df4fec413c…

MALICIOUS

RTF / .DOC

34.9 KB
MD5: 24493dcacf05c9fb289fbfc212cd36b3 SHA-1: 94b88f69ced44885ce157f6d4e2dd73218ec9662 SHA-256: 725b12df4fec413ce53b8e1c35652aa29b7500d72e3028689a88d7d0510b6346
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document containing OLE object data and specifically triggers heuristics for the Equation Editor vulnerability. The \objupdate directive indicates an attempt to force the activation of this embedded object, which is a known method for exploiting CVE-2017-11882. This exploit likely leads to the execution of a second-stage payload, although the specific payload and its origin could not be determined from the provided evidence.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001815.bin
3becbaa326bd992b3e242a64f9887666508b91b5b153915c54c5c2ae36fa0cd5		 rtf-objdata-decoded RTF \objdata at offset 0x1815 1278 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.