Malicious RTF — malware analysis report

Static analysis result for SHA-256 b5d48e4aa15901a8…

MALICIOUS

RTF

94.4 KB First seen: 2024-07-31
MD5: fbc6766776e17ffa02a6813e4f20b22b SHA-1: 58110a9f8f62038bd95eea66c74523320f075176 SHA-256: b5d48e4aa15901a84ad2c00a6b6a228471c3e5ad695f7ea11e584afa43543a69
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The RTF document contains an embedded OLE object with a split Equation Editor ProgID, triggering heuristics for RTF_EQUATION_EDITOR and RTF_OBJUPDATE. This indicates an attempt to exploit a known vulnerability in Microsoft Equation Editor. The presence of OLE object data suggests the embedded object is designed to execute code, likely to download and run a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001eb2.bin
ddf72b0eca9e37dd764210c7f433ab9a79b057999602b6e7ccf70eb154807feb		 rtf-objdata-decoded RTF \objdata at offset 0x1EB2 1947 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.