Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 cd34e596b8495650…

MALICIOUS

RTF / .DOC

38.6 KB First seen: 2023-05-08
MD5: 099b7c642dd936c52d1bcbc9a90f13a3 SHA-1: 5bcef478e646bba62de158f9625b7776b2a756ee SHA-256: cd34e596b84956502c4844a029b087b39d92527bb5d79022dd19731c9acf47c5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The sample is an RTF document exploiting the Equation Editor vulnerability, indicated by the RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristics. It uses a common lure to trick users into enabling content, suggesting it's a dropper for a malicious payload. No scripts were extracted, and the document body content is unrelated to the exploit, serving only as a distraction.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00005094.bin
d88585852eed619b320e3026f06bd79b262c15e6cc2a2dbeb876e24a27ecd8fe		 rtf-objdata-decoded RTF \objdata at offset 0x5094 1750 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.