Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9bf192b16e9394bb…

MALICIOUS

RTF / .DOC

26.7 KB First seen: 2023-10-22
MD5: b29acb5d430c1be85fd18e815bbd696e SHA-1: 9aa3f461b40f23f0f48739f7729ebc7311b0e60b SHA-256: 9bf192b16e9394bbe64867e02a5c843e39fe82128769e03fad1a18ec742346f7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Attachment

The sample is an RTF document that leverages a known vulnerability in the Equation Editor component. The presence of \objdata and \objupdate heuristics strongly suggests that the document is designed to exploit this vulnerability, likely to download and execute a secondary payload. The specific exploit used is identified as RTF_EQUATION_EDITOR.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000126d.bin
adad4d3e3d75dc6a4f2481b2b7091eb5d4c549f98fc705b459673a46b1ab3438		 rtf-objdata-decoded RTF \objdata at offset 0x126D 1728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.