RTF malware analysis — malicious · cd48d98b36acc141

MALICIOUS

RTF

22.5 KB

MD5: b599ec3e9bfc21653e7241405db917c6 SHA-1: ca17046443d8b88ecd6282cc5007ffc01e1de7fe SHA-256: cd48d98b36acc14170b1b289d3d658b43bda6854a8ffa118490073fd42dbbac6

160 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.001 PowerShell

The RTF document contains embedded OLE object data and specifically triggers heuristics related to the Equation Editor vulnerability (RTF_EQUATION_EDITOR). The ".\objupdate" directive further indicates that the embedded OLE object is intended to be activated, which is a common method for exploiting the Equation Editor vulnerability to achieve arbitrary code execution. This suggests the document is designed to exploit this known vulnerability to deliver a malicious payload.

Heuristics 4

Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000e01.bin` `a78234c62560834299d37e9602d052e8bac4d533abcc2d7849e9c42010b66a6d`	rtf-objdata-decoded	RTF \objdata at offset 0xE01	4183 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.