Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bfcb98c26a4d3602…

MALICIOUS

RTF / .DOC

34.4 KB
MD5: 14b41eb509dcab178307831b0a8c9f55 SHA-1: 1ea51e2d18c2a2550460d9d196d2b00722ac44cb SHA-256: bfcb98c26a4d3602a807d1213ea5ea967ea5cdc8e84da30c8427826a7ef74c85
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor vulnerability. The \objupdate directive indicates that the embedded object is intended to be activated automatically. This strongly suggests an exploit delivery mechanism, likely leading to the execution of a secondary payload. No specific family could be identified, but the exploit vector is clear.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001785.bin
16c8a51f3c52cb16bbf132565b6061d2e78b124d3f593f00f1f73d87790b96d8		 rtf-objdata-decoded RTF \objdata at offset 0x1785 4230 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.