Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ad6e7ce60f3d220f…

MALICIOUS

RTF / .DOC

2.07 MB First seen: 2022-03-18
MD5: 018f770ce2aeb533a771ef8d02e9e490 SHA-1: 692d7fa82bff8f332e87f510f543226b965b13b9 SHA-256: ad6e7ce60f3d220f50bd78b3bc89fa43cbf2a9d86e25f6dcc9d2ec5759d95ce5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object that leverages the Equation Editor vulnerability (CVE-2017-11882). The decoded object data suggests the presence of a Visual Basic script, likely intended to download and execute a second-stage payload. The document body contains obfuscated VBA code that appears to be related to Windows software licensing management, potentially serving as a lure.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000012b8.bin
53c857af6a4d503cfed31a522b25b34642f7909d6768e28ac37a7c1ead62e605		 rtf-objdata-decoded RTF \objdata at offset 0x12B8 86008 bytes
objdata_01_off00036c24.bin
fd3b0881f817e61583f80f1519a3dd200c0f623223e0b7277aad89f0688231e3		 rtf-objdata-decoded RTF \objdata at offset 0x36C24 463159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.