Malicious RTF — malware analysis report

Static analysis result for SHA-256 88d8d7b7fe4afc4c…

MALICIOUS

RTF

100.6 KB First seen: 2024-09-17
MD5: 0edaacfdd31f608fd4fb9e440a2d9d7f SHA-1: 84ba72c416ffdd388f30cb72bc4ee723d07521b2 SHA-256: 88d8d7b7fe4afc4c2c72480328d073b74ef003ec5708097e343468c99eb8401c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that leverages the Equation Editor vulnerability, indicated by the RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristics. This exploit is designed to trigger OLE object activation, allowing for the execution of embedded code. The primary goal appears to be the download and execution of a secondary payload, a common tactic for initial access.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b71.bin
27905a65f37fdcb10f87f60e27a42e5eaf33fd4095ad72c2088c52de8c2a118c		 rtf-objdata-decoded RTF \objdata at offset 0x1B71 1780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.