Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 d1905cf2fc0947e1…

MALICIOUS

RTF / .DOC

19.3 KB
MD5: 807b4de71e74d318dae0f80097a95cf2 SHA-1: ae4cc1b547d6fa1fac9a00a5ef04197d4fd2e349 SHA-256: d1905cf2fc0947e19e0898e1c844059dcd8dce0547b607d88e253cb3c7969876
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The critical RTF_EQUATION_EDITOR heuristic indicates the document exploits a known vulnerability in Microsoft Equation Editor. The RTF_OBJUPDATE heuristic suggests that the embedded OLE object is automatically activated upon opening. While no specific script was extracted, the combination of these heuristics strongly suggests the document's purpose is to achieve code execution, likely for downloading and executing a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b8e.bin
67666b8b18edf3eaec0829a66b88f550d7a47dece5825d1ce67fe53b81ac24ff		 rtf-objdata-decoded RTF \objdata at offset 0x1B8E 1619 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.