Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 7fb18c3948d4f743…

MALICIOUS

RTF / .DOC

978.6 KB
MD5: 976213383ed5664d22d67497090f8d9a SHA-1: 2f52c0fd74076c93704aefdc5d2f5252223c1258 SHA-256: 7fb18c3948d4f74355ca03d2d01ca43d46b3231d14d7cbee4f618710aa192d9a
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF document contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The object data is excessively large and hex-encoded, likely hiding a second-stage payload. The presence of ".objupdate" further suggests automatic activation of the embedded object upon opening the document.

Heuristics 6

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1001KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000074.bin
6ec6c7899e72f6047814c1ad18ebb5e5f7b965d788c1dbbfdc1b609faf6a1454		 rtf-objdata-decoded RTF \objdata at offset 0x74 500903 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.