Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 a640d808490d7844…

MALICIOUS

RTF / .DOC

8.0 KB First seen: 2022-09-07
MD5: 5a9f9e6aab8caf0b55b4e086c4e20f91 SHA-1: c9507f61161850df007b64f26ef3eef7ab761536 SHA-256: a640d808490d78440df4508568d76ab12f0d4b39e62cb93d79b1b3b50bc2c36a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious Link: Malicious File T1059.005 Command and Scripting Interpreter: Visual Basic T1027 Obfuscated Files or Information

The RTF file contains embedded OLE object data, specifically a decoded Equation Editor payload. Heuristics indicate this payload is related to CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. The document also contains a lure instructing the user to enable editing, which is a common technique for malware droppers. The embedded object data, identified as 'EQUAtiOn.3', is the primary IOC.

Heuristics 6

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000d50.bin
3eccdd3a3195767fb19326002510a49a26f1fbf8b8d5db6e8619bff23d012c6d		 rtf-objdata-decoded RTF \objdata at offset 0xD50 1656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.