Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 94422c3cc4af6c5a…

MALICIOUS

RTF / .DOC

77.1 KB
MD5: 4be4e123feaa1eafe9bb1f69110fb265 SHA-1: 31c216b6fbc48fa3d7ab55b50a30bbbfbc2a0f63 SHA-256: 94422c3cc4af6c5ae1192b984ca6ac0a7d7afb402180fb667ba99b2da7c8da35
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor vulnerability (CLSID). The \objupdate directive indicates that the embedded object is designed to be activated automatically upon opening the document. This strongly suggests an exploit delivery mechanism, likely leading to the execution of a secondary payload. No document body text or scripts were extracted, but the critical heuristic firings are sufficient to infer the attack vector.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000199c.bin
24f217154bfa8c032f32310a56239d27e1a678f53d225a10dd175f81fc30a5fc		 rtf-objdata-decoded RTF \objdata at offset 0x199C 4172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.