Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ba03539fc97022c6…

MALICIOUS

RTF / .DOC

50.7 KB First seen: 2022-11-02
MD5: e854d56bbaeed9c163e9859b160c8b95 SHA-1: ade333e4f5cee5b2ab01d338f694aadd43c66a2c SHA-256: ba03539fc97022c647cc1948b873f0282d8e89de21b7b138bcb3539602f7ee12
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object with an Equation Editor ProgID, indicating an attempt to exploit the Equation Editor vulnerability (CVE-2017-11882). The ".objupdate" directive forces the activation of this embedded object, which is a common technique for delivering malicious payloads. No document body text or scripts were extracted, but the heuristics strongly suggest a classic exploit delivery mechanism.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000084f.bin
72192072500ecff6c940e8a5b30162b9944a0bd352501f5453d459bf1ac326bb		 rtf-objdata-decoded RTF \objdata at offset 0x84F 1748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.