Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e8f18f6487f71106…

MALICIOUS

RTF / .DOC

1.53 MB
MD5: afcede840d453cac15261a5407ef93fe SHA-1: f6782e594f11f7ba6bd61ab78fba5db15459bbd7 SHA-256: e8f18f6487f71106ffa08913661408ac8a473895c4ff5f880c596fce5760b1a1
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.003 Command and Scripting Interpreter: Windows Command Shell

The RTF file contains multiple indicators of exploitation targeting the Equation Editor vulnerability. The presence of OLE object data, excessive hex-encoded data within objdata sections, and specific CLSIDs strongly suggest the embedding of a malicious object designed to be activated via \objupdate. This pattern is commonly used to download and execute a second-stage payload, although no specific payload or URL was directly extracted from this sample.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1603KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bit.ly/2RtXXbV

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000796.bin
1e9e435b7e41960919cf3911f7495b56570dcdbf444e2467ed7c6807c04b438d		 rtf-objdata-decoded RTF \objdata at offset 0x796 801872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.