Malicious RTF — malware analysis report

Static analysis result for SHA-256 82752639fdd402f2…

MALICIOUS

RTF

14.9 KB First seen: 2020-09-07
MD5: ebc0ec09b41989eae02be92110809e27 SHA-1: b501cc3207eebb724ff2fb7a45dba91a95885a03 SHA-256: 82752639fdd402f22ff1182e7902c8c7bf03f14306e84a5636e2d5e51f918083
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains an embedded OLE object that leverages a known vulnerability in the Equation Editor. The ".objupdate" directive forces the activation of this object, leading to the execution of a secondary payload. The document body contains what appears to be a parts list, which is likely a lure to disguise the malicious nature of the file.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000015af.bin rtf-objdata-decoded RTF \objdata at offset 0x15AF 1674 bytes
SHA-256: 64c3e8df51f3ae2cf0a0df62c7c20fe4e9c895fcea39d3a94319ff74055fc423