Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ac6d1e0ac2cecd84…

MALICIOUS

RTF / .DOC

16.9 KB
MD5: d2d1f266ca24290146aa6bb76d1605ca SHA-1: 263e2c061e71d4252888c77815c562615bb7e7a9 SHA-256: ac6d1e0ac2cecd84e378487c6cb4c4361281661f0b7391f26ca0058b53318aaa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document that contains embedded OLE object data, specifically targeting the Equation Editor vulnerability. The `RTF_EQUATION_EDITOR` and `RTF_OBJUPDATE` heuristics indicate that this document is designed to exploit a known vulnerability in the Equation Editor component to achieve code execution. The presence of OLE object data suggests that the exploit likely attempts to download and execute a secondary payload. The document body is heavily obfuscated and does not provide clear user-facing text, reinforcing the exploit-driven nature of the attack.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000da3.bin
1dcea383a94e3601db8d6054f811c11377c96c60d97f8733bd39098b129300f4		 rtf-objdata-decoded RTF \objdata at offset 0xDA3 1647 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.