Malicious RTF — malware analysis report

Static analysis result for SHA-256 d2af7393dc6160c8…

MALICIOUS

RTF

24.8 KB First seen: 2023-04-21
MD5: 641d203073155b565066099a0be1a7bf SHA-1: e54a73378d990a7fddadc4d216732b4d98d1b729 SHA-256: d2af7393dc6160c8e52de28e944024c1a6a0237bee5a67453fda8b2fe11d0b87
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document containing OLE object data and specifically triggering heuristics related to Equation Editor exploitation and OLE object updates. This indicates a likely attempt to exploit a known vulnerability (CVE-2017-11882) for arbitrary code execution. The embedded OLE object is the primary indicator of compromise.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000010a1.bin
1ba27ca1487d84d86f14c40f0ba68d625efdbd1ab9d141dbf2419dc60863bfab		 rtf-objdata-decoded RTF \objdata at offset 0x10A1 4183 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.