Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8e97e85fd5881e5f…

MALICIOUS

RTF / .DOC

75.4 KB
MD5: b156ed4230557289721a0256a6aa23ea SHA-1: 59d8da9d1c4ec783f59d9c6ba330e4392151cb9a SHA-256: 8e97e85fd5881e5f4f31f95f5bc13de014ab3a3f278fec651f5208a73f22259e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The file is an RTF document containing OLE object data, specifically triggering critical heuristics for Equation Editor exploitation. The \objupdate directive indicates that the embedded OLE object will be activated automatically upon opening. This strongly suggests an exploit delivery mechanism targeting the Equation Editor vulnerability (CVE-2017-11882 or similar). The primary goal is likely to download and execute a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018e5.bin
267979cd4ef719843c3b75ee3c1314d6e86570a9650f0c613f03fcb7633b4c0e		 rtf-objdata-decoded RTF \objdata at offset 0x18E5 1866 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.