Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 95cd0e8151fd80f4…

MALICIOUS

RTF / .DOC

4.2 KB
MD5: 5c0bc7c7186ad3356a5f3b8d2134e023 SHA-1: a4bab1a1edea203951480df4c7b94ff940561f34 SHA-256: 95cd0e8151fd80f473f886e8c9aa98ce10d3608a8ac9542d848634a3e0f80064
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains embedded OLE objects, specifically triggering heuristics related to Equation Editor exploitation and object updates. This indicates a likely attempt to leverage a known vulnerability, such as CVE-2017-11882, to execute malicious code upon opening. The presence of ".objdata" sections further supports the embedding of executable content.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000c4.bin
ec5f6c118407481899420a3f0ac1f5a37ba728f747fd0f1c51c9332afee4d99b		 rtf-objdata-decoded RTF \objdata at offset 0xC4 1815 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.