RTF malware analysis — malicious · a4358b898c418522

MALICIOUS

RTF

12.6 KB

MD5: 40f03856876fda8b3bda880d1d5a4636 SHA-1: d252c054154c5524dfbf3f3238b32f711290fd36 SHA-256: a4358b898c41852211ee727e4b8c0d05301bf4c6a90a4780c5a6f8b1b1cf5c81

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains multiple indicators of malicious activity, specifically related to the Equation Editor vulnerability. The presence of OLE object data and automatic linking suggests an attempt to embed and activate external content. The critical RTF_EQUATION_EDITOR heuristic confirms the exploitation of a known vulnerability, likely leading to the download and execution of a second-stage payload. The SHA256 hash is provided as a primary IOC.

Heuristics 4

Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR

RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001e9f.bin` `9e4a7bfcba0ae43aa68c516538705c53984d2e9982836785a1f377295347e725`	rtf-objdata-decoded	RTF \objdata at offset 0x1E9F	1529 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.