Malicious RTF — malware analysis report

Static analysis result for SHA-256 cd14dbd23e95a17e…

MALICIOUS

RTF

14.7 KB First seen: 2023-03-28
MD5: 20e82801d2b5b859faab91680dbcb903 SHA-1: 2d4582423a92e30747cc1a1b82bec6918ce97622 SHA-256: cd14dbd23e95a17e028844bca91c696767a5b3aabda1dee33ca27d5f56b03649
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains OLE object data and is configured to force OLE activation, indicating an attempt to exploit embedded objects. Specifically, the RTF_EQUATION_EDITOR heuristic strongly suggests the use of the Equation Editor vulnerability (CVE-2017-11882) for initial execution. This technique is commonly used to download and execute further malicious stages.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c5c.bin
7db0386799e2dba7d3a6b63ae37a2b8397e7f4d6542477d101b99e3a6c8e12b3		 rtf-objdata-decoded RTF \objdata at offset 0x1C5C 1466 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.