Malicious RTF — malware analysis report

Static analysis result for SHA-256 ece7fdf1d8fc9fe3…

MALICIOUS

RTF

90.1 KB First seen: 2024-07-23
MD5: 54092cf8f48bd4f9f31bdb16b2f6ee65 SHA-1: 96a037a6075b9fb61018423de75bf1a240c92748 SHA-256: ece7fdf1d8fc9fe3edd6f538a8f3ca98576a41d7be00061618ee5af9ee7c3231
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The RTF document contains OLE object data and specifically targets the Equation Editor component, indicating an attempt to exploit a known vulnerability (CVE-2017-11882). The ".objupdate" directive forces the activation of this embedded object, which is a common technique for executing malicious code. The primary goal is likely to download and execute a secondary payload, though no specific download URL or payload details were extracted from this sample.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b8a.bin
402756e3a2bb8a3724c0fe1e5e0b8a007ab711acd3a0d293de0dd7795be92e9b		 rtf-objdata-decoded RTF \objdata at offset 0x1B8A 1966 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.