Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8db7e417fd4e3745…

MALICIOUS

RTF / .DOC

343.1 KB First seen: 2022-07-04
MD5: 85023e48359b4e870cbed0b920b79700 SHA-1: db4e114dfabeda0a1a903cbe8ba74d0c657a2468 SHA-256: 8db7e417fd4e3745b61868559ebad0429ca000d0dc5db7f24ab256f7e62d0b86
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1068 Exploitation for Privilege Escalation

The sample is an RTF document containing a critical heuristic firing for RTF_EQUATION_EDITOR, indicating a split hex Equation Editor ProgID and OLE object. This is characteristic of the CVE-2017-11882 exploit. The presence of RTF_OBJUPDATE and RTF_OBJDATA further supports a mechanism to force OLE activation and deliver a payload via embedded objects.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a63.bin
8d88468b932a0f5a2d618282f477058dcbc3df32a5b222bb49f55e606b34ecc7		 rtf-objdata-decoded RTF \objdata at offset 0x1A63 110983 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.