Malicious RTF — malware analysis report

Static analysis result for SHA-256 8fd53e5f78693bc7…

MALICIOUS

RTF

8.7 KB
MD5: e70135cdb555ce99adee7df642813dcb SHA-1: cbdcbfe1426651f5c2fba88872688309e308dd74 SHA-256: 8fd53e5f78693bc7639c94ef4a7969c5395c4e90ae255c0080f687811c8339e6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that leverages the Equation Editor vulnerability, indicated by the RTF_EQUATION_EDITOR heuristic. The presence of OLE object data and the ".objupdate" directive suggest that the embedded object is designed to be activated, likely to trigger the exploit. The primary goal appears to be the execution of arbitrary code, which is a common precursor to downloading and running further malicious content.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000986.bin
9dc9f5d7bdde327e5a307d8dc7aaab232732a33600a45e3d7cc94c96ba09a5b0		 rtf-objdata-decoded RTF \objdata at offset 0x986 1990 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.