RTF / .DOC malware analysis — malicious · b8446b9db0640e74

MALICIOUS

RTF / .DOC

20.4 KB

MD5: 03566535437f0334650ed9c53ea2fb25 SHA-1: 23e12f5608c6652d62ee8eb152bbc73d35de1277 SHA-256: b8446b9db0640e742b42d72a93a14af55bae43defabc8fa9ec6522e05315d924

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains embedded OLE object data, specifically targeting the Equation Editor. The RTF_EQUATION_EDITOR heuristic indicates that a PE file was decoded from the Equation Editor object, suggesting it's a dropper. The RTF_OBJUPDATE heuristic further confirms that the OLE object is designed to be activated, likely triggering the exploit. The document body is heavily obfuscated and does not provide clear textual lures, but the presence of these specific RTF heuristics strongly points to a known exploit chain for Equation Editor.

Heuristics 3

Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR

RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000bb0.bin` `3cf544c5dc0e978bcd69e68aa86635b5dc6b70b03d0e2c2516285b7e58e25b1d`	rtf-objdata-decoded	RTF \objdata at offset 0xBB0	2021 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.