Malicious RTF — malware analysis report

Static analysis result for SHA-256 8952a605589e5137…

MALICIOUS

RTF

14.0 KB First seen: 2023-02-25
MD5: 12592e047d6a24925a0f71e84618c828 SHA-1: d808fc6c513b301f65ff83ca258ed83d04bc3ce0 SHA-256: 8952a605589e5137455aa1b31c6d3be650f920dc090e82e090e3951e249d6acc
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell T1027 Obfuscated Files or Information

The RTF document contains an OLE object with a ProgID indicative of Equation Editor, specifically triggering the CVE-2017-11882 vulnerability. The presence of \objupdate and \objdata directives confirms that the embedded OLE object is intended to be activated and executed. This technique is commonly used to achieve arbitrary code execution upon opening the document.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016a4.bin
eded5616601453185cf816fa1ad9506ecf0b348363e08234b6f3a8818ee77d5c		 rtf-objdata-decoded RTF \objdata at offset 0x16A4 1862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.