Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 cc919489faa7e053…

MALICIOUS

RTF / .DOC

113.3 KB
MD5: 4f083daca63cd2bcb2956188a715e158 SHA-1: 757474b07107a240c5eba7e0b5a6f3259c2155ba SHA-256: cc919489faa7e0533fde063de20dd1cc1d4116b54708e08ea37e34a4e6d2672a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document that contains embedded OLE object data. Heuristics indicate the presence of a decoded Equation Editor payload and that \objupdate forces OLE activation. This strongly suggests exploitation of a known Equation Editor vulnerability to achieve code execution. The decoded object is a Portable Executable, likely a downloader or initial payload.

Heuristics 3

  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000055e.bin
ea0cf3faf61fd11f549a8f95bf8daa8768b79eeff102534d11f2412a330f32c6		 rtf-objdata-decoded RTF \objdata at offset 0x55E 2076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.