Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8d9ba741c497d3af…

MALICIOUS

RTF / .DOC

11.3 KB First seen: 2022-03-21
MD5: 58e0f3f8c39232d342d952dd57d372d3 SHA-1: e27abdc2fd86c3101225d5d1a4a06702b2747d90 SHA-256: 8d9ba741c497d3af424724bd632a20158e0cb59029b8db358719e97fb793ecd9
121 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document that contains OLE object data and triggers an object update. Critical heuristics indicate the use of the Equation Editor vulnerability, a known method for exploiting Microsoft Office applications. This exploit likely facilitates the execution of a secondary payload, as suggested by the RTF_OBJUPDATE heuristic.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d39.bin
5bef368601398b0f68bb06e38119c86d60a453da55743b9ba9b973771ca543ce		 rtf-objdata-decoded RTF \objdata at offset 0x1D39 1913 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.