Malicious RTF — malware analysis report

Static analysis result for SHA-256 d1eac8661e925181…

MALICIOUS

RTF

173.5 KB First seen: 2024-06-27
MD5: 71ee0c2a6053262bfceb4cd2b0aa4117 SHA-1: 54958aab3879aa2088b7f24a56ead4604e2ba559 SHA-256: d1eac8661e9251814c1e918854f9cad7040a46fb11cf0cd289c1f49227ad4efc
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains critical heuristics indicating the exploitation of the Equation Editor (RTF_EQUATION_EDITOR) via OLE object activation (RTF_OBJAUTLINK, RTF_OBJUPDATE). This technique is commonly used to achieve arbitrary code execution. While no specific payload or URL was directly extracted, the presence of OLE object data suggests the embedding of an object that, when activated, triggers the exploit. The attack pattern is inferred from the exploitation method.

Heuristics 4

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001116.bin
4085a0f148ac404169f27208931c2d704d28d9370a99faba591c24ae953896d7		 rtf-objdata-decoded RTF \objdata at offset 0x1116 4182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.