Malicious RTF — malware analysis report

Static analysis result for SHA-256 dd17b3d71d68e06e…

MALICIOUS

RTF

104.0 KB First seen: 2024-10-06
MD5: cdad1cbda2a0cc1260fb09a0585b287c SHA-1: 0c7e90eaf2afd275736c30b4f09ed20237d641f8 SHA-256: dd17b3d71d68e06e489f4f2cdd39b2947a5aca99c706599b52c4724960c43ad2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document containing an OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The \objupdate directive forces OLE activation, which is a common method for executing embedded exploits. The embedded OLE object data is likely a secondary payload or exploit code designed to download and execute further malicious content.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000017f2.bin
c3b3311a55ea91c944e6803878a214c28a17a4ab0210b1ace6243af0d8c289ae		 rtf-objdata-decoded RTF \objdata at offset 0x17F2 2000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.