Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ce53c97a3f040dad…

MALICIOUS

RTF / .DOC

3.9 KB
MD5: 8f0c3ff4740ecc3efd564329aac5e652 SHA-1: 7fe3be34cb5edd69acdc9e00e63c504c037e7744 SHA-256: ce53c97a3f040dad92f109dba7902d7cc3540ccd1c3f6ae8e82553fa26a76f81
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains an embedded OLE object with decoded Equation Editor payload, indicating a likely exploit. The \objupdate directive suggests that the OLE object is automatically activated upon opening, leading to the execution of the embedded Portable Executable (PE) file. This is a common delivery mechanism for malware.

Heuristics 3

  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000065.bin
7719e6a328cdfe70d17ec940d518e4cd07b34f8246b9fde8fb25566b2fcf528f		 rtf-objdata-decoded RTF \objdata at offset 0x65 1856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.