Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 afe45d0abfa33565…

MALICIOUS

RTF / .DOC

11.1 KB
MD5: bbb35606a8d3163493d597062773947e SHA-1: a60d440250a7d2b70b8bcd0db19b1a5a8a4104a5 SHA-256: afe45d0abfa33565c3bc685f80c6d030268d55f820639b31590893540d749c8a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains embedded OLE object data and specifically triggers the Equation Editor vulnerability, indicated by the RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristics. This exploit is designed to achieve code execution on the victim's machine. The embedded objdata artifact is likely the exploit payload or a component thereof. The exact nature of the secondary payload could not be determined due to the lack of script content.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001f05.bin
43ffedf176b6efda8725ab5b93253f4fe82e914402ec496a85ab23d70ac3004f		 rtf-objdata-decoded RTF \objdata at offset 0x1F05 1574 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.