Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9ac88b8b37773d45…

MALICIOUS

RTF / .DOC

20.7 KB
MD5: a6a4cf7e1fc898e080500ad0898b903b SHA-1: a831a7adbb2b11ca3216e3420e03f37321c471f5 SHA-256: 9ac88b8b37773d454204b4442ad574b42b103cade900b6e95d0d26b5abd4503d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File Execution: User Execution

The sample is an RTF document that contains OLE object data and specifically triggers the RTF_EQUATION_EDITOR heuristic, indicating the use of a known vulnerability in the Equation Editor component. The RTF_OBJUPDATE heuristic further suggests that the embedded OLE object is designed to be activated, leading to code execution. This points to an exploit delivery mechanism, likely for downloading and executing a secondary payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000149a.bin
f310c24c9f7cb15b77ff002fb4100859904059e4ceef5bc40b38ea92f6d9d3df		 rtf-objdata-decoded RTF \objdata at offset 0x149A 2066 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.