Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 de9222bf0bfdf406…

MALICIOUS

RTF / .DOC

10.9 KB First seen: 2022-03-31
MD5: 950921ba37aad9f6c8eba84ba93e78a4 SHA-1: 7fc5bd7768cfdd44bd36dfa1115c6edb88c56b08 SHA-256: de9222bf0bfdf406ac223c699f0c1f05ca19cee20fc041ede361e1137a564dc2
121 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an RTF document that leverages the Equation Editor vulnerability (CVE-2017-11882), as indicated by the RTF_EQUATION_EDITOR and RTF_OBJUPDATE heuristic firings. The presence of OLE object data suggests it's designed to embed and execute malicious content. The primary attack vector appears to be exploiting this known vulnerability to achieve code execution, likely for downloading and running a subsequent stage.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b4a.bin
1618cbba2c1da83840d8140b6c54d77fc8b5d1d2da4bf04819c96210a94640bd		 rtf-objdata-decoded RTF \objdata at offset 0x1B4A 1865 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.