Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 976993901c2dd38d…

MALICIOUS

RTF / .DOC

33.0 KB Authoring application: Riched20 6.3.9600 First seen: 2022-08-08
MD5: 088e55da11e301419586a37204f3a51c SHA-1: 605322507a7fcde98442a58a10833de83e5025e5 SHA-256: 976993901c2dd38d833124be95073dca9af3466423c5de6b675bbcc7a8d5e4f6
380 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.002 Component Object Model Hijacking T1059.003 Windows Command Shell

The RTF document contains multiple indicators of malicious activity, including embedded OLE objects and specific heuristics pointing to the CVE-2017-11882 Equation Editor vulnerability. This exploit allows for arbitrary code execution upon opening the document, likely to download and execute a secondary payload. The presence of RTF_MZ_HEX indicates a Portable Executable header within the hex data, further confirming the execution of code.

Heuristics 9

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 3 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000ef.bin
fec5e76b171d56f37e9f9fa97eac287818bafd7977235c06797f0d01a9c8a340		 rtf-objdata-decoded RTF \objdata at offset 0xEF 8423 bytes
objdata_01_off0000430c.bin
4c20d06c8eb5cea2bfabd46931e5e8a8a93db4a87f490997bf91b386bfbb20bb		 rtf-objdata-decoded RTF \objdata at offset 0x430C 3980 bytes
objdata_02_off00006552.bin
f9991e41c93f8c5df2151626af256c4cef325ac70303c7e05e60886e6109c361		 rtf-objdata-decoded RTF \objdata at offset 0x6552 3546 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.