Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 94813fb713b0e758…

MALICIOUS

RTF / .DOC

37.9 KB
MD5: ad0f9c56ee043931b29fe72b175512fb SHA-1: 3d59319fb0ddc0be6ec0bf8ad1e4138c6de2273d SHA-256: 94813fb713b0e758db6696738b44ce13078ec27c4bfcf4c95e09cdb7bea9040f
147 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains embedded OLE object data and specifically triggers the Equation Editor CLSID, indicating exploitation of a known vulnerability. The \objupdate directive forces OLE activation, leading to arbitrary code execution. No scripts or further payloads were directly extracted, but the exploit mechanism is clear.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c88.bin
d77194ee9181ac3e056119b1ed07c9152d7fece58b2426e6b74e6e6df320424d		 rtf-objdata-decoded RTF \objdata at offset 0x1C88 4155 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.