Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e8c962f875deb51f…

MALICIOUS

RTF / .DOC

26.8 KB
MD5: 97743d81c54205bcb2244b4e16e5ff64 SHA-1: 6b9d3d0e4214685720e3e0fd0f697154bcf81813 SHA-256: e8c962f875deb51ff487faeeef40cee746dad2a388e8dd5b85e94f651517977c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: User Execution: Malicious File

The file is an RTF document that contains embedded OLE object data, specifically targeting the Equation Editor. Heuristics indicate that \objupdate forces OLE activation, which is a known technique for exploiting vulnerabilities like CVE-2017-11882. This exploit likely leads to the download and execution of a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000b67.bin
7e1b2c3215b2da7e7feae7bd2a1380ec698cf39107faeca8b4fb2eb7bdf23669		 rtf-objdata-decoded RTF \objdata at offset 0xB67 1475 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.