Malicious RTF — malware analysis report

Static analysis result for SHA-256 97820ec755717237…

MALICIOUS

RTF

63.5 KB First seen: 2019-12-09
MD5: 7bdbb7ecf095418088dbd4c220cbd584 SHA-1: 37d3d1cf3fb26614dc42232abd17156e2d4fdd87 SHA-256: 97820ec755717237f3414547576d6ec23e1bc1edd7607361e347837e9b34e4fb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains an embedded OLE object that leverages the Equation Editor, a known vector for exploiting vulnerabilities. The presence of RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristics strongly indicates an attempt to execute arbitrary code upon opening. This is a common method for delivering malicious payloads via email attachments.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000006b.bin rtf-objdata-decoded RTF \objdata at offset 0x6B 19222 bytes
SHA-256: a272fd077bc8282ab5b7f2b8820156b71193bc5f62d780e14a1f8aea0b88f214