Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 9fa6b15e4eee9ebb…

MALICIOUS

RTF / .DOC

9.0 KB First seen: 2022-04-27
MD5: 7e2f75a5f70c68474850482a86867dc6 SHA-1: 625fbe55dc94b0ef4e86d0e56b3524118c459f83 SHA-256: 9fa6b15e4eee9ebb0486ff3712bbc7de54aa41a31fffe0ae476a613926782d9f
121 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 Malicious Link T1059.003 Windows Command Shell

The sample is an RTF document that contains embedded OLE object data. Heuristic analysis indicates that this data decodes to a PE file, likely exploiting the Equation Editor vulnerability (CVE-2017-11882). The \objupdate directive forces the activation of this embedded object, leading to the execution of the decoded payload. The decoded object itself is a PE file, suggesting it's a secondary stage downloader or dropper.

Heuristics 3

  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b1f.bin
5c34b3fcdc0dcf6ae0f1efcfd88821131c4a602310513506ec91c86afb09e98e		 rtf-objdata-decoded RTF \objdata at offset 0xB1F 1934 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.