Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c13c9aba31229586…

MALICIOUS

RTF / .DOC

27.6 KB First seen: 2022-11-07
MD5: 3453fcf06c9c04c503607631d472c2dc SHA-1: 143c1f82a558ae1005efd2c9c3d367e1015af42f SHA-256: c13c9aba31229586322a5f62a3a56f8dc76fd667129ff4573a5e2653df1b571e
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 PowerShell

The sample is an RTF document that contains an embedded OLE object with a specific Equation Editor ProgID, indicating an attempt to exploit CVE-2017-11882. The \objupdate directive further suggests that the embedded object is intended to be activated automatically. The document body contains a lure to enable editing, which is a common tactic for macro-based malware.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005233.bin
f14498c68dbde05e725cee41fcee8ec8bbb8a41317d5d71b684398c99cf39427		 rtf-objdata-decoded RTF \objdata at offset 0x5233 2050 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.