Malicious RTF — malware analysis report

Static analysis result for SHA-256 a424c4312f97747e…

MALICIOUS

RTF

82.1 KB First seen: 2024-07-26
MD5: 0a9c028203a8416be8db7371550d0fb5 SHA-1: 2f576cdfbf4f60918676f6583265c504bdeefa21 SHA-256: a424c4312f97747efa22a627aa0c77c4f11022d171e11d3eeff00dd77b737520
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The \objupdate directive forces OLE activation, leading to code execution. The embedded OLE object data is likely a secondary payload or exploit stage, but its contents could not be fully analyzed. The file's SHA256 hash is included as an IOC.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f82.bin
57b3ed43f9fa81bedf5e4c7d111945f8f2f05f4b5539cefce1d03ebdb12e2099		 rtf-objdata-decoded RTF \objdata at offset 0xF82 1764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.