Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bcc3aaf69fe3616b…

MALICIOUS

RTF / .DOC

1.75 MB
MD5: d2a59e17de502a7b5e6858405fe260fe SHA-1: 1db960844e83f26ed18375e27f40e5949f97bf28 SHA-256: bcc3aaf69fe3616be23ff1909db683ae158515ba751eab18ce0705190ad54427
220 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The sample is an RTF document containing an embedded OLE object that exploits the Equation Editor vulnerability (CVE-2017-11882). The heuristics indicate the presence of a native payload within the OLE object, suggesting it's designed to execute arbitrary code. The RTF structure with ".objdata" and ".objupdate" further supports the exploitation of OLE object vulnerabilities. The primary attack vector is likely the exploitation of CVE-2017-11882 to deliver a secondary payload.

Heuristics 5

  • Equation Editor OLE1 native payload — CVE-2017-11882 related critical CVE related CVE_2017_11882_RELATED
    RTF decodes to an OLE1 Equation.3 embedded object whose native data is large and payload-like, and \objupdate requests automatic activation. This is the delivery shape used by Equation Editor RCE documents such as CVE-2017-11882/CVE-2018-0802, but the malformed MTEF record needed for exact attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1831KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000156e.bin
912bddda0042f18b51be5580db1461fa3ad73ccab6464c08b7838354a3353d0d		 rtf-objdata-decoded RTF \objdata at offset 0x156E 915798 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.