Malicious RTF — malware analysis report

Static analysis result for SHA-256 849e134210695207…

MALICIOUS

RTF

7.4 KB First seen: 2019-05-31
MD5: ca5d1523987c3ea520c62cabd012bf7f SHA-1: 4af86501fd3e796ee3d5ac70eefe6d7a1f1ca46d SHA-256: 849e134210695207e9f05976e2da47507a6c02c863a6e86a2588cdb8b8d92f26
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data, specifically triggering heuristics related to Microsoft Equation Editor and OLE object activation. This indicates the file is designed to exploit a vulnerability within the Equation Editor component to achieve code execution. The presence of ".objupdate" further suggests an attempt to force the activation of the embedded OLE object, likely to trigger the exploit.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000032.bin rtf-objdata-decoded RTF \objdata at offset 0x32 3625 bytes
SHA-256: 59fd005245ea627ba60a802c9032c14b3070b5dc3e257a7b0e97c5919800a68b

Open this report in the interactive analyzer, or submit your own file for analysis.