Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9abb70441c1fb02e…

MALICIOUS

RTF / .DOC

14.6 KB
MD5: a980192d229fe850f5cc777f8d96c561 SHA-1: 8fbd2886a686f13a252be242c093ca804542cc77 SHA-256: 9abb70441c1fb02e6425d487da4500d3f5eaa08ca164a5568c3243c842a1c49b
159 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1559.001 Component Object Model Hijacking: Component Object Model

The RTF document contains embedded OLE objects, specifically triggering the Equation Editor vulnerability. The presence of ".objdata" and ".objupdate" sections strongly indicates an attempt to exploit this known vulnerability for arbitrary code execution. No document body or script content was available for further analysis, but the exploit vector is clear.

Heuristics 4

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010b6.bin
137d6bd583570247ade2c720312de7c2ac547f6eb0a72f85c5ce850dafb50f5b		 rtf-objdata-decoded RTF \objdata at offset 0x10B6 4153 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.