Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b6bca600e4646a8b…

MALICIOUS

RTF / .DOC

9.5 KB First seen: 2023-01-30
MD5: c64195e295096e19a56cf6786aa360aa SHA-1: daef1f843280349471d66c13bbe76a5e44319b0a SHA-256: b6bca600e4646a8ba5fbb95ad74fc92d48732a3e7dd9ffbc67cddf3385c9a11c
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1559 Component Object Model Hijacking

The RTF file contains embedded OLE object data and is specifically designed to exploit CVE-2017-11882. The heuristic firings indicate that the Equation Editor component is used to decode and execute a Portable Executable (PE) payload. This exploit allows for arbitrary code execution, likely to download and run a second-stage malicious payload.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001699.bin
6b43a31a1e7c20af2850c4ac7b8a4ccbe2db11fdd30f77a15caee029b4e3d3cd		 rtf-objdata-decoded RTF \objdata at offset 0x1699 1917 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.