Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 767640e4be0ad1dc…

MALICIOUS

RTF / .DOC

3.8 KB First seen: 2023-05-04
MD5: b7e88f9f57137b39269a26d7380851ea SHA-1: db32e2761ce37b791a41312355c1caf1c13ae113 SHA-256: 767640e4be0ad1dc04332cbaa7485d425feebf3e8665af6b9922b09cc98e1a74
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document containing an embedded OLE object that decodes to a PE file. Heuristics indicate the use of the Equation Editor vulnerability (".objdata" and ".objupdate" sections), which is a known method for exploiting client systems. The decoded payload is likely a secondary stage designed to execute malicious code.

Heuristics 3

  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000088.bin
2743bbe693c0303b9d94fdac44ddecc08cae80510c156515e570fd247fcecef8		 rtf-objdata-decoded RTF \objdata at offset 0x88 1821 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.