Malicious RTF — malware analysis report

Static analysis result for SHA-256 ade4f2ab855284c2…

MALICIOUS

RTF

79.1 KB First seen: 2024-09-28
MD5: bb08f924d8e1bdc601c2ff9b31e10e0f SHA-1: 2bb89b597719aeb1c1e2b2625f6eea7b3c868c00 SHA-256: ade4f2ab855284c27728ce653ff5e2d6155f293a263313c340895cd2a1916692
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document that leverages the Equation Editor vulnerability, indicated by the RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristics. The embedded OLE object data (RTF_OBJDATA) suggests it's designed to trigger code execution upon opening. While no specific payload or URL was directly extracted, the exploit pattern strongly implies the document's purpose is to download and execute a secondary malicious payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000126b.bin
e8ea63902571073930b0d49a18fc5c1d9d1951f7d4bf5b35a37fa0927f63f8a0		 rtf-objdata-decoded RTF \objdata at offset 0x126B 1572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.