Malicious RTF — malware analysis report

Static analysis result for SHA-256 d1780059b80a7cc4…

MALICIOUS

RTF

683.3 KB First seen: 2022-07-02
MD5: 162797d07b42fe13c26bd1bae4cdbf73 SHA-1: 52028c1b67484d9eea0a647cc955598491e36c7c SHA-256: d1780059b80a7cc4ae264036529a8e68f8ecc8ea7f98722adf8efb1fac863c22
122 Risk Score

Heuristics 4

  • Decoded Equation Editor payload + PE critical CVE likely RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000043.bin rtf-objdata-decoded RTF \objdata at offset 0x43 349747 bytes
SHA-256: 45da69f2bf14ade01857bed699a74c6db02dabe3b5194277a008eb14f876283b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.