Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8bba9755c9c3834c…

MALICIOUS

RTF / .DOC

3.7 KB
MD5: 988beab62f4aaf928033ba7df4a851fe SHA-1: 95b2173685fcc7ecbc2b86d7d157f0e5ab4e299b SHA-256: 8bba9755c9c3834cb46eb50ca223633678901d6e802bfa32c1c2acbab64d4d68
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.002 Component Object Model Hijacking

The RTF document contains embedded OLE objects and specifically triggers the Equation Editor vulnerability. The ".objupdate" directive forces the activation of the embedded OLE object, which is a known method for exploiting the Equation Editor to achieve arbitrary code execution. No scripts or further payloads were extracted, but the exploit itself is the primary attack vector.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000008f.bin
5a49d3e7b1f2818f8b99626319eb664dd0b21403683406e086ea93ce72017408		 rtf-objdata-decoded RTF \objdata at offset 0x8F 1642 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.