Malicious RTF — malware analysis report

Static analysis result for SHA-256 9af05c1cb783bb50…

MALICIOUS

RTF

8.7 KB
MD5: 8bf656a930d62170864950522b5cd0c0 SHA-1: 84f35f08fb77e75a32314c6778a9da5afa8379ce SHA-256: 9af05c1cb783bb50a2f280fd22bdc4a8b5160488afc7093a383e6e60cac4d90e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that leverages the Equation Editor vulnerability, indicated by the RTF_EQUATION_EDITOR heuristic. The RTF_OBJDATA and RTF_OBJUPDATE heuristics suggest that an OLE object is embedded and activated, likely to trigger the exploit. The primary attack vector is spearphishing, with the embedded exploit leading to the download and execution of a secondary payload. No specific family could be identified.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000c80.bin
912c90a54131e9bcb3f7172e7fc0c5269577b0679dfafad9234ae17ce2acb853		 rtf-objdata-decoded RTF \objdata at offset 0xC80 1698 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.