Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bba6a529c00a612c…

MALICIOUS

RTF / .DOC

10.9 KB First seen: 2022-03-28
MD5: 7ab1687bdfc6bb2151548c2dd7bedee6 SHA-1: 389b2cfca3bf9bbf09d4e17d742a7c65ef04e4d4 SHA-256: bba6a529c00a612cf379e46740b2ab0fe6dcdb6953cb9249b56d7e3590833e37
121 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document that contains embedded OLE object data and specifically triggers the Equation Editor vulnerability. The ".objupdate" directive forces the activation of this embedded object, leading to exploitation. The primary attack vector is the exploitation of the Equation Editor, which is a known method for initial code execution. The specific exploit used is likely CVE-2017-11882, given the heuristic firings.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001af7.bin
44fc584cec5c5aa374d722f9f371f2e1dbd0fefbe670c14b0d23dad131972cd2		 rtf-objdata-decoded RTF \objdata at offset 0x1AF7 1938 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.