Malicious RTF — malware analysis report

Static analysis result for SHA-256 947b31383bee46a9…

MALICIOUS

RTF

13.0 KB
MD5: c11c7bd737d1dcf126e3cea347737ae6 SHA-1: 06a1a303f4def56dc56257425239f5abea7c1b33 SHA-256: 947b31383bee46a9d4699deb8821af8f2ffc338716c13e981b7adb4e4541af91
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that leverages the Equation Editor vulnerability (CVE-2017-11882) to execute arbitrary code. The presence of \objdata and \objupdate heuristics strongly indicates the exploitation of OLE objects within the RTF. This technique is commonly used to download and execute a second-stage payload, leading to a full system compromise.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001da1.bin
aa5ddafd11da875d3fa0e6791d6557df7f3516cfb40143906609b9d1f8c2a4ad		 rtf-objdata-decoded RTF \objdata at offset 0x1DA1 1769 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.