Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e88953d22f49865a…

MALICIOUS

RTF / .DOC

5.2 KB
MD5: ce04e8caec525d29591d2406c9645abb SHA-1: 3b992cde22839d400755d31be7ea98e9abc779dd SHA-256: e88953d22f49865a5bf30c832945c31a2f52a799bf25264134be33b7b3173578
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains embedded OLE object data, specifically targeting the Equation Editor vulnerability. The \objupdate directive indicates that the embedded object will be automatically activated upon opening the document, leading to exploitation. This pattern is commonly used to deliver a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000d5.bin
29944f11ac336b75c4cee0d2f02d6153b150f309b010ae6416f92be52a296336		 rtf-objdata-decoded RTF \objdata at offset 0xD5 2356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.