Malicious RTF — malware analysis report

Static analysis result for SHA-256 bdeda03a8c6e5acd…

MALICIOUS

RTF

9.6 KB
MD5: 990834310f31f02dff5a8b287ec0a1e8 SHA-1: 9e289f161d91a60eff0346d75fbeb00b050568f4 SHA-256: bdeda03a8c6e5acde3a6d6a7056fdfde878934d4e7179176524ce9b76510ae7f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Code

The sample is an RTF document that leverages the Equation Editor vulnerability (CVE-2017-11882) via OLE object manipulation. The heuristic firings indicate that the document is designed to trigger an exploit when opened. The primary goal appears to be the execution of arbitrary code, likely to download and run a secondary payload, as suggested by the RTF_OBJDATA and RTF_OBJUPDATE rules.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b2e.bin
806dc1c8282eb42d85780ee0b24d9a3165022d880924837577f21d1cb39c5b7e		 rtf-objdata-decoded RTF \objdata at offset 0xB2E 2141 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.