Malicious RTF — malware analysis report

Static analysis result for SHA-256 7dd47094c1914eaf…

MALICIOUS

RTF

6.3 KB First seen: 2019-08-04
MD5: cdaafc774e41de73d1198738f131c2ba SHA-1: 1a2a6557cb0bebce89a1823bf91de8cf714978ad SHA-256: 7dd47094c1914eaf910f2b70fbae0de9493db70181106e7545c7c51505254cf8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The \objupdate directive forces OLE activation, which is likely used to trigger the exploit and download a second-stage payload. The file's malicious verdict and the nature of the exploit strongly suggest a spearphishing attachment used for initial compromise.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000af8.bin rtf-objdata-decoded RTF \objdata at offset 0xAF8 1788 bytes
SHA-256: c606065d023212958be95d543f9836195234632b507333483af233dee4930d8d

Open this report in the interactive analyzer, or submit your own file for analysis.