Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 79f578f7d5cc6948…

MALICIOUS

RTF / .DOC

11.7 KB First seen: 2022-03-08
MD5: c1a029df3c135d5e50d853159bcbba56 SHA-1: f89efe456781623f0d73381f463c9702d7f10255 SHA-256: 79f578f7d5cc694887a536668bc49d280daa720fa7cc797531e614b0e0391afc
121 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an RTF document that contains OLE object data and triggers an update action, indicating it's designed to exploit embedded objects. Specifically, the RTF_EQUATION_EDITOR heuristic points to a known vulnerability in Microsoft Equation Editor. This vulnerability is commonly used to download and execute arbitrary code, making it highly probable that this document attempts to deliver a secondary payload. No document body text or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001f58.bin
a126f87f933c08b215645e799f599534eaa50881095d5550e57eeae5aedd1e0c		 rtf-objdata-decoded RTF \objdata at offset 0x1F58 1766 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.