Malicious RTF — malware analysis report

Static analysis result for SHA-256 c74c2bb7f954d5f3…

MALICIOUS

RTF

212.5 KB
MD5: 01c04141e40e99c587106e590aeafa25 SHA-1: 9e5f8a0d3a28cecc71b2e7d68c9c9c95974048a3 SHA-256: c74c2bb7f954d5f3f806fd399fcec81522be1c02162a6821d31050de1dee1a92
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF file contains an embedded OLE object, specifically triggering the Equation Editor vulnerability. The \objupdate directive indicates an attempt to force OLE activation, which is a common method for exploiting this vulnerability. This suggests the file is designed to deliver a payload via the Equation Editor exploit, likely through a spearphishing attachment.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000093.bin
ee62521a166852dfe3e6f43bf2f4f3a853932389b85faeeeee095ccb02864276		 rtf-objdata-decoded RTF \objdata at offset 0x93 65884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.