Malicious RTF — malware analysis report

Static analysis result for SHA-256 d9c48d17fccf4c21…

MALICIOUS

RTF

91.0 KB First seen: 2024-09-26
MD5: 9cb9142659aa46876659d869b522a616 SHA-1: 7704e37a8ec272ec3a8f24c2f56e8e0c0071a7fe SHA-256: d9c48d17fccf4c215621206bf43697a8e56120e21a6fe8669ec36a5be8e05a43
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The file is an RTF document containing an embedded OLE object, specifically targeting the Equation Editor vulnerability. The presence of \objupdate indicates that the OLE object is designed to be activated automatically, likely leading to the execution of a secondary payload. This pattern is commonly used to deliver malware.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016a0.bin
ed97acb7aec790b0fc89db5142a7570151e9b06da59544eff34c07265e69d6ae		 rtf-objdata-decoded RTF \objdata at offset 0x16A0 1771 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.