Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 eb4cb509d66beec8…

MALICIOUS

RTF / .DOC

1.85 MB
MD5: e6f7f090c8a3b9e4069bef1155ce112a SHA-1: fd1a59c734a2a57d3596e8c21d0b1efd5957dad7 SHA-256: eb4cb509d66beec820f99483870897c8d8f4157f61533a5e958a6224a8fc8cc1
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1071.001 Web Protocols

The file is an RTF document containing a decoded Equation Editor payload, indicating an exploit attempt. The presence of OLE object data and excessive hex data suggests the embedding of a malicious executable. The primary attack vector appears to be exploiting the Equation Editor vulnerability to facilitate the download and execution of a secondary payload, likely from the embedded object.

Heuristics 5

  • Decoded Equation Editor payload + PE critical RTF_EQUATION_EDITOR
    RTF decodes to an Equation Editor ProgID adjacent to OLE activation and the same decoded object stream contains embedded PE bytes. This matches the Equation Editor exploit surface used by CVE-2017-11882 / CVE-2018-0802 documents, while requiring payload evidence to avoid flagging benign Equation references.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1934KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000946.bin
9048278a541e2daacba75492e220f8e8862190cd4123d7d11e3be1d73be58184		 rtf-objdata-decoded RTF \objdata at offset 0x946 967062 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.