Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 88f76a8ce4d63f93…

MALICIOUS

RTF / .DOC

399.7 KB
MD5: 010470265f86e0e4486fee0a2e2c80a7 SHA-1: 5673aa9cb8f9cdb7d8133f4271c0a17bba1bf5df SHA-256: 88f76a8ce4d63f93390688297a06885f15f3436abe4175ae538007a0484199c0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Phishing: Spearphishing Attachment

The presence of the Equation.3 ProgID and the split hex byte stream in the OLE object is a signature of the CVE-2017-11882 / CVE-2018-0802 exploit delivery mechanism. No scripts were extracted from this sample, but the embedded binary objects (objdata) are shellcode-stage payloads typically used to trigger the memory corruption and execute subsequent stages. The high risk score and critical heuristic firing for RTF_EQUATION_EDITOR specifically identify this vulnerability surface.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000011e1.bin
afb68329ef7ac016b76b855a29cffbfc739cc96305f1a9fc897f112a3f606ae1		 rtf-objdata-decoded RTF \objdata at offset 0x11E1 53954 bytes
objdata_01_off0002faeb.bin
d0fc8ee401697f3768fde09886a746ca13e579b7cfe70db22d1d9623d4a0df1e		 rtf-objdata-decoded RTF \objdata at offset 0x2FAEB 57823 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.