RTF malware analysis — malicious · a5f865743d2ac723

MALICIOUS

RTF

118.7 KB First seen: 2024-09-25

MD5: 59e879eb2a3f5f54db609e47b0596813 SHA-1: 103371a7186a337b2fe41038fac9c1a6519bc9bb SHA-256: a5f865743d2ac723fca850a9d3c48263afb8bed5016c38881da0358207d0cc44

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1566.001 Spearphishing Attachment

The RTF document contains critical heuristics indicating the exploitation of the Equation Editor vulnerability (RTF_EQUATION_EDITOR). It also fires for OLE object data and automatic linking, suggesting an attempt to embed and activate external content. The presence of ".objupdate" further confirms that the embedded OLE object is intended to be activated, likely to download and execute a secondary payload.

Heuristics 4

Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR

RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000124f.bin` `a4256d4295a244f6e50ba7cdbfcb8a30ff176c74a7eb4f1295238078832995ce`	rtf-objdata-decoded	RTF \objdata at offset 0x124F	2041 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.