Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c702c2d41d823874…

MALICIOUS

RTF / .DOC

864.6 KB First seen: 2022-09-26
MD5: 6c9ba54d9e3a68b9e2611955021bc939 SHA-1: 1458c60150cd7b36ac7e0a50089b61fb1da0e52c SHA-256: c702c2d41d8238744062a0474286881cc3ee8154b2c5f2619d6cae5a32eeba9a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that exploits CVE-2017-11882 via the Equation Editor. The decoded object data suggests the presence of a VBScript, likely intended to download and execute a second-stage payload. The script's logic appears to read configuration from an INI-like file, but the full content could not be retrieved due to truncation.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001277.bin
37b70210b1b47cf5660adc9f0e480e1ceb9a289efb052a4d6cc51eea686ce511		 rtf-objdata-decoded RTF \objdata at offset 0x1277 81480 bytes
objdata_01_off0002f05e.bin
d541f40d3697d40fb5a5ae03df885a1ecc9c95b0c0f7dd7bfe86e66ff4cfbf9a		 rtf-objdata-decoded RTF \objdata at offset 0x2F05E 141506 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.