Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c971b15b006a004d…

MALICIOUS

RTF / .DOC

16.5 KB
MD5: 2cd4ddf466c3a4edb16d626ff75352dd SHA-1: 2c45efe93e1f3bf126d0a2a73b53b66f9a529466 SHA-256: c971b15b006a004d10e968108348c4d338ba45bce0cf4d499bd455076d30ee56
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell

The file is an RTF document containing OLE object data, specifically triggering heuristics related to the Equation Editor vulnerability. The \objupdate directive indicates that the embedded OLE object will be activated automatically upon opening. This suggests the document is designed to exploit CVE-2017-11882 or a similar vulnerability in the Equation Editor to achieve code execution, likely for downloading and executing a second-stage payload. No specific family could be identified.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000005fd.bin
66c9eab754c36d781bb75bc36f6590a6b053355119fde13998cfade3fd2396c6		 rtf-objdata-decoded RTF \objdata at offset 0x5FD 2057 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.