Malicious RTF — malware analysis report

Static analysis result for SHA-256 c5e7000fb819ce44…

MALICIOUS

RTF

51.8 KB First seen: 2024-11-27
MD5: 673b4265a6e94edb2de8a8e153fe55f8 SHA-1: e4ffa5fa4f9ff96bf0842a6191474aa3ba3ef7c7 SHA-256: c5e7000fb819ce447166e6fed82781d31ab1523d555bd9ee4b3ee11b63e8bc44
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1204.002 Malicious File

The RTF file contains multiple indicators of exploiting the Equation Editor vulnerability, including RTF_EQUATION_EDITOR and RTF_OBJAUTLINK heuristics. This type of exploit typically leads to the execution of arbitrary code, often to download and run a secondary payload. The embedded OLE object data further supports this attack vector.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001bcc.bin
53bdfaa7d28718cab5725c97e2c9993bb124294a6a218426dc85a6367b2dc64c		 rtf-objdata-decoded RTF \objdata at offset 0x1BCC 1623 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.