Malicious RTF — malware analysis report

Static analysis result for SHA-256 731274dfb1a00b96…

MALICIOUS

RTF

75.1 KB First seen: 2024-07-31
MD5: d559f074ac2f858891395b2d39d93e8e SHA-1: 04297240c45fce910112cadbdce42538a1b58889 SHA-256: 731274dfb1a00b9694101c7488bdfa2c9bba0588f75b09a8ade4e6c6f86fbcdd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The sample is an RTF document containing OLE object data, specifically triggering heuristics related to the Equation Editor vulnerability. This indicates an attempt to exploit CVE-2017-11882 or a similar flaw to achieve code execution. The embedded OLE object data, decoded as objdata_00_off000006af.bin, is the primary artifact of this exploit. The attack pattern suggests a downloader or initial access vector, aiming to execute further malicious code.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000006af.bin
b6024b151019a723f58c0e9491ce927c66faca55db2805ce4903ff2ab8b8618f		 rtf-objdata-decoded RTF \objdata at offset 0x6AF 1624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.