Malicious RTF — malware analysis report

Static analysis result for SHA-256 9f56bf6f67697b5f…

MALICIOUS

RTF

87.6 KB First seen: 2024-08-21
MD5: 9ecf1863c58b62b5478a1abd912e5b72 SHA-1: 398721250ba71f217b70508051edfea2a7d4380d SHA-256: 9f56bf6f67697b5feea58e889dd326238c5c98e89e86a6e16e7b532b9abaddad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing an embedded OLE object that leverages the Equation Editor vulnerability. The presence of `RTF_EQUATION_EDITOR` and `RTF_OBJUPDATE` heuristics indicates exploitation of a known vulnerability to achieve code execution. This is a common delivery mechanism for malware, likely intended to download and execute a further stage.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001e5a.bin
98af8ae146778c63a663aefcaf606d4181aabcdf8d5dfa781f94f78f6feb3705		 rtf-objdata-decoded RTF \objdata at offset 0x1E5A 1710 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.