RTF malware analysis — malicious · b9c1c77e731b1f7c

MALICIOUS

RTF

35.5 KB First seen: 2023-07-11

MD5: 6bad9606e870b69823f32c9255c194c4 SHA-1: 94c159ac4b474658f61087a800b0d5ea76eedbc5 SHA-256: b9c1c77e731b1f7c049cf8578367a8615f182f0ac6539cd1bc7b1b729d63557b

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains an embedded OLE object with a split Equation Editor ProgID, indicating an attempt to exploit CVE-2017-11882. The \objupdate directive further suggests that the object is configured to activate automatically upon opening or when editing is enabled. The document body contains a generic lure instructing the user to 'Enable editing', a common tactic for macro-based or exploit-laden documents.

Heuristics 4

Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR

RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000429e.bin` `5648f124fa089712149b0190be775253bd74a448f63adf7074fad62d3c365c04`	rtf-objdata-decoded	RTF \objdata at offset 0x429E	1560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.