Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9ec972333e8ee5a0…

MALICIOUS

RTF / .DOC

13.2 KB First seen: 2023-06-06
MD5: 814c549027ffa7b070b8dcbdf94c3124 SHA-1: 3bc00c380c958fb225da0224ad8a90df6af8d265 SHA-256: 9ec972333e8ee5a045f432e0d9829a85b10361f717c57482c322d7077e237b3d
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.001 User Execution: Malicious Link

The sample is an RTF document containing OLE object data, specifically targeting the Equation Editor vulnerability. The presence of \objdata, \objautlink, and \objupdate heuristics strongly indicates exploitation of CVE-2017-11882. This vulnerability allows for the execution of arbitrary code, typically used to download and run a second-stage payload.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001af9.bin
893cf29958945ed7705b88db1cf4fe36c64506652cd9e794d06fbcfef603fa1a		 rtf-objdata-decoded RTF \objdata at offset 0x1AF9 843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.