Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8a2a2f30c2d0e96f…

MALICIOUS

RTF / .DOC

18.8 KB
MD5: bbff3d02c5d7c87053e6432555d1c35f SHA-1: 243ef609d6847a27cec1a443e7415682d2711de8 SHA-256: 8a2a2f30c2d0e96fabdd7b35775f9ea05fd63f694b5666487db3ba27fdf74ede
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an RTF document that contains embedded OLE objects, specifically targeting the Equation Editor vulnerability. The \objupdate directive indicates that the embedded object will be activated automatically upon opening the document. This technique is commonly used to deliver a second-stage payload, often downloaded from a remote server. No specific family could be identified, but the exploit method is clear.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d45.bin
f611e047c84bc831810d6e8f15523c90d86675d99595786ac41ef8e579759b91		 rtf-objdata-decoded RTF \objdata at offset 0x1D45 1900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.