Malicious RTF — malware analysis report

Static analysis result for SHA-256 ec788f3329aa4787…

MALICIOUS

RTF

1.76 MB First seen: 2022-03-22
MD5: a5ceec9be1fbda4d8f46b7f1df138a4f SHA-1: 40ec57d1f7bfbcdd9190b9b742b599cef6a5f496 SHA-256: ec788f3329aa478717c25cce48b76c1789157f6d24d0083dbe6556d6a87d9ca0
340 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.001 User Execution: Malicious Link T1203 Exploitation for Client Execution

The file is an RTF document containing embedded OLE objects, specifically triggering critical heuristics for Equation Editor exploitation (CVE-2018-0802). The presence of large amounts of hex-encoded data within the OLE object suggests a hidden payload. The ClamAV detection ID further confirms the exploitation of CVE-2018-0802, which is commonly used to download and execute secondary malware. No scripts were extracted, but the RTF structure and heuristics strongly indicate a malicious exploit targeting the Equation Editor.

Heuristics 8

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM
    RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1841KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001dcd.bin
44d785e10a74cc7117ea6a1cd38840cab06b3e388db47c3b09b36a13aa75c551		 rtf-objdata-decoded RTF \objdata at offset 0x1DCD 920643 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.