Malicious RTF — malware analysis report

Static analysis result for SHA-256 7a284d1c10630ab1…

MALICIOUS

RTF

682.6 KB First seen: 2022-07-02
MD5: 63efccd5cd0cbc0a27e9462125a6bdac SHA-1: 677880b3e0d7c151c3fbd2ef5cf7b66bcbfa9dab SHA-256: 7a284d1c10630ab19e55a6deb8e245dda61bc4c733e1ea92552bbe7405ebd8d6
122 Risk Score

Heuristics 4

  • Decoded Equation Editor payload + PE critical CVE likely RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000043.bin rtf-objdata-decoded RTF \objdata at offset 0x43 349404 bytes
SHA-256: a5130c1b32976bd285d3928f074d5d51a3b31ca0df7129a0db40e6c013bcb19b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.