Malicious RTF — malware analysis report

Static analysis result for SHA-256 d715685adcd6a1d0…

MALICIOUS

RTF

1.39 MB Created: 2021-03-12 10:42:00
MD5: 06a26618d2de0866e7cc1d177daf253a SHA-1: 197898ba22e7eaf4d1e099aae619fef65a759fd1 SHA-256: d715685adcd6a1d077b0dd9fbc45ae033ce56bd585a93b0c0ead916c047d9d3c
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF file contains critical heuristic firings indicating the exploitation of the Equation Editor (RTF_EQUATION_EDITOR, RTF_OBJCLASS_EQUATION). This suggests the file is designed to exploit a vulnerability within the Equation Editor component, likely to execute arbitrary code. The presence of OLE object data further supports the embedding of malicious content. While no scripts were extracted, the critical heuristics strongly point to a known exploit delivery mechanism.

Heuristics 5

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Equation Editor object class critical RTF_OBJCLASS_EQUATION
    Object class 'equation.3' references Equation Editor
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0013a9fa.bin
d7911566cbd39fa4cbb7a7c7aba83d325d79b64b59db686bfe382dfebd30dd21		 rtf-objdata-decoded RTF \objdata at offset 0x13A9FA 39190 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.