Malicious RTF — malware analysis report

Static analysis result for SHA-256 a6c34bf746b634e4…

MALICIOUS

RTF

1.17 MB First seen: 2021-06-17
MD5: 5b7af8768d32bca6136c58d7ea27dc5f SHA-1: a6b2904e08f02482a3e38fb12818b09563038ef8 SHA-256: a6c34bf746b634e458beacd8d985656d579d3b22dd1391690646a785140458e6
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple indicators of malicious activity, including embedded OLE objects and specifically the Equation Editor object, which is known to be exploited via CVE-2017-11882. The presence of \objupdate further suggests an attempt to force OLE activation. This exploit allows for the execution of arbitrary code, likely to download and run a secondary payload.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f58.bin rtf-objdata-decoded RTF \objdata at offset 0xF58 52852 bytes
SHA-256: 2a4894d8192c4774950e1ec0ed7bc9b31ba582b5582c181f1b66263bb3a72501
objdata_01_off0002e25f.bin rtf-objdata-decoded RTF \objdata at offset 0x2E25F 254566 bytes
SHA-256: d58e45cc3a60ce012b53972ea70846c80b4219924e4d59541626e9dbb3083e1d

Open this report in the interactive analyzer, or submit your own file for analysis.