Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e01846f8b992ea25…

MALICIOUS

RTF / .DOC

25.2 KB First seen: 2022-08-02
MD5: 6c1c3aca712ac06d9f22a8308829e23d SHA-1: e20554de2973328ed178e4de496b293409e2d349 SHA-256: e01846f8b992ea2500398876286c0cda092b53908978edac2926846b8bd91fe0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1204.002 Malicious File

The sample is an RTF document containing OLE object data and specifically triggers heuristics related to the Equation Editor vulnerability (CVE-2017-11882). The presence of \objdata and \objupdate directives strongly suggests an attempt to exploit this vulnerability for remote code execution. The decoded OLE object data has high entropy, indicating it likely contains obfuscated or packed code, consistent with a downloader or initial access payload.

Heuristics 4

  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001f3f.bin
38f2e7ef36be004566455ea98a2c22838e233f0f85ce56afd4ef2023a1fbe9d3		 rtf-objdata-decoded RTF \objdata at offset 0x1F3F 4289 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.