Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7e4c8ac1d5c57880…

MALICIOUS

RTF / .DOC

2.24 MB
MD5: 714f862a687434039f86051feb190697 SHA-1: c28e968909adcd3cd9799fbf9aa00d9ef6eef28e SHA-256: 7e4c8ac1d5c57880db3720e28982634c63b922e3bd12b05991518c5c0e28fa1a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains multiple indicators of exploitation, specifically related to CVE-2017-11882 through the Equation Editor. The presence of OLE objects and the ".objupdate" directive strongly suggest that the embedded Equation Editor object is designed to be activated, leading to arbitrary code execution. This is a common delivery mechanism for exploiting this vulnerability.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001202.bin
c38c1e74681d682674404ec2b1b7c1d4d95308998a476de31029da9bb9b2daa2		 rtf-objdata-decoded RTF \objdata at offset 0x1202 27712 bytes
objdata_01_off0001d28d.bin
05fc6d2b0a81484fefcb6cc6d4891013e53501190027c21cdd96bf0ea0957523		 rtf-objdata-decoded RTF \objdata at offset 0x1D28D 478713 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.