Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 97d9d61b6c7d78dc…

MALICIOUS

RTF / .DOC

312.1 KB
MD5: 04cba910e29bd89df2c6c9033643a5ac SHA-1: 58346865cdd102f062d7ad6d3f07628d4841902a SHA-256: 97d9d61b6c7d78dce8c364e7c9efcaa6eb3dfebac9be51b4d6428782e49fcb43
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The sample is an RTF document containing an embedded OLE object that decodes to a PE file, indicative of a malicious exploit. The 'RTF_EQUATION_EDITOR' heuristic firing strongly suggests exploitation of the Equation Editor vulnerability. The embedded object, objdata_00_off000018ae.bin, is the likely payload carrier. The overall attack pattern involves luring the user to open the document, triggering the exploit to download and execute a secondary payload.

Heuristics 5

  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000018ae.bin
2e0b06865e0ee13878f1cbb51084015ea4b5aa1dbfd0324c5c56241102698591		 rtf-objdata-decoded RTF \objdata at offset 0x18AE 156415 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.