RTF malware analysis — malicious · d3682eddbd2e8797

MALICIOUS

RTF

11.2 KB First seen: 2020-05-25

MD5: 9b306bf1c0bdba611027a24adc271b98 SHA-1: eaca783a31ebf1bbbc4c193a08bbde10b938821e SHA-256: d3682eddbd2e87977c05d4c14ecd7fc9ce89a54df562669eb64fd1d29221a140

160 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object with an Equation Editor CLSID, and an \objupdate directive which forces OLE activation. This strongly suggests exploitation of a vulnerability within the Equation Editor component. The OLE object's Ole10Native stream was decoded, indicating it likely contains a secondary payload or exploit code. The document body was heavily obfuscated and truncated, preventing a clear understanding of its specific lure.

Heuristics 4

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000adf.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xADF	4156 bytes
SHA-256: `dbfe3d3db5f05eafdadb0fc4572edbdb5a66990f4b6938fa36872e82c04e25c7`

Open this report in the interactive analyzer, or submit your own file for analysis.