Malicious RTF — malware analysis report

Static analysis result for SHA-256 944c36924e07d22b…

MALICIOUS

RTF

10.9 KB
MD5: c0b6191c56a2dcba4310fe6de722c259 SHA-1: ff434467d9eac97baf41d012004af0f1279433ff SHA-256: 944c36924e07d22bb61434964cc02a1fc303aca4f3d659b93bf4eb8740769e62
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF file contains an embedded OLE object that leverages the Equation Editor vulnerability. The ".objupdate" directive indicates that the OLE object is designed to be activated automatically, triggering the exploit. This is a common technique for delivering malicious payloads, often leading to the download and execution of further malware. The specific exploit targets the Equation Editor component, which is a known vector for initial compromise.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b6f.bin
c798c62401970dc285ee41ee3bbd1a9d100c8d72ca2a66932dd2b8067f23759e		 rtf-objdata-decoded RTF \objdata at offset 0x1B6F 1408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.