Malicious RTF — malware analysis report

Static analysis result for SHA-256 8f5146d287ac6cb7…

MALICIOUS

RTF

10.6 KB First seen: 2023-03-31
MD5: 409e6c1dd82691daeb9823579810efde SHA-1: 078edbb0d8ed6c0c47cc368e8ae63cb66472f9ec SHA-256: 8f5146d287ac6cb71296c853961cd904f568df0c7ecbf7020aec016a3cbfa619
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 Malicious Link

The sample is an RTF document containing an OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The \objupdate directive forces OLE activation, likely triggering the execution of embedded malicious code. This mechanism is commonly used to download and execute a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c6e.bin
212aeb7ae1172adb6aebaf20b3e9b280cacde7fb27d1dc745465f297774700bb		 rtf-objdata-decoded RTF \objdata at offset 0xC6E 1454 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.