Malicious RTF — malware analysis report

Static analysis result for SHA-256 b089eadb4f0d2401…

MALICIOUS

RTF

11.9 KB First seen: 2022-10-14
MD5: 9a3ccad09d6a1432df6573022ece8750 SHA-1: 6a2682080239141d0ae10227ad1e9f49f9e36cee SHA-256: b089eadb4f0d24012266f758e9028a0b86d744d32b4d18e6783f8ba473f7fe3a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The RTF file contains embedded OLE object data and triggers heuristics for Equation Editor exploitation and OLE object activation. This indicates the file is designed to exploit a vulnerability, likely CVE-2017-11882, to achieve code execution. The embedded OLE object data, when decoded, likely contains the malicious payload or instructions to download it.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f40.bin
5cdd2a8ff8d9a1acc545aa0be543a30566113d92a19468be3a724cd0d97e09e6		 rtf-objdata-decoded RTF \objdata at offset 0xF40 4155 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.