Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7d5093b7453c3c88…

MALICIOUS

RTF / .DOC

1.68 MB First seen: 2023-04-11
MD5: 6d585ee2ab8ac3ed320752bdc07b5c22 SHA-1: 51d765fcd8aff433b8ae9ada6aa60cb72905179a SHA-256: 7d5093b7453c3c887a2d987821f32bdf0c3751ec28df5807c796efc6a6399584
302 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE objects, specifically leveraging the Equation Editor vulnerability (CVE-2017-11882). The presence of RTF_EQUATION_EDITOR and CVE_2017_11882_ACTIVATION_RELATED heuristics strongly indicates exploitation of this known vulnerability. The embedded OLE object, identified as Equation.3, is likely a dropper designed to execute a secondary payload, as suggested by the RTF_MZ_HEX heuristic indicating a PE header within the object data.

Heuristics 8

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00080066.bin
48b13fb37dca6a3fcc205087a81dfb1c896d71c9ba7c17684158fb10ce8bb5d1		 rtf-objdata-decoded RTF \objdata at offset 0x80066 138419 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.94, consistent with packed or encrypted content.
objdata_01_off000cd914.bin
b082c613461a85f6eba70afde808507f8e6c7944d8af274359edab55aba7d089		 rtf-objdata-decoded RTF \objdata at offset 0xCD914 187272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.