Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7964fbce4d892802…

MALICIOUS

RTF / .DOC

1.78 MB First seen: 2022-03-23
MD5: 778b4a10181d891d81612369a7dc3cad SHA-1: f7062303fa429f7072c13e721e3d07f3828c36ed SHA-256: 7964fbce4d892802568b05c49e48e03a535c303ec6ed144a4024068ecb958280
220 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains OLE object data, specifically related to Microsoft Equation Editor. Critical heuristics indicate the exploitation of CVE-2017-11882, a known vulnerability that allows for arbitrary code execution. The presence of a large, hex-encoded OLE object suggests it is used to hide a malicious payload, likely an executable.

Heuristics 5

  • Equation Editor OLE1 native payload — CVE-2017-11882 related critical CVE related CVE_2017_11882_RELATED
    RTF decodes to an OLE1 Equation.3 embedded object whose native data is large and payload-like, and \objupdate requests automatic activation. This is the delivery shape used by Equation Editor RCE documents such as CVE-2017-11882/CVE-2018-0802, but the malformed MTEF record needed for exact attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1859KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b48.bin
ea472e4d64eac2a82f49efff1d0bc144a8f7887384c3ecde1a0959d10e656875		 rtf-objdata-decoded RTF \objdata at offset 0x1B48 929911 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.