RTF malware analysis — malicious · ee0402642d716266

MALICIOUS

RTF

21.0 KB First seen: 2022-03-07

MD5: 0a544b51de5180316f00312e1c30561f SHA-1: 9b662028eb765b979cc41722777db50bf0a63249 SHA-256: ee0402642d716266bd93fb356933d75a15a5ed045636c06ae24529bd6217d76f

160 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is an RTF document containing embedded OLE objects, specifically triggering heuristics related to Equation Editor exploitation and OLE object activation. The presence of `RTF_EQUATION_EDITOR`, `RTF_OBJUPDATE`, and `RTF_OLE10NATIVE_STREAM` strongly indicates the use of a known vulnerability in Equation Editor to achieve code execution. This is a common method for delivering secondary payloads, though no specific payload or download URL was directly extracted from this sample.

Heuristics 4

Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001e54.bin` `a707210bb92de2dd44e1c4fa7e58f26895d8d99b281d1fd5fb82c5d9ef8a7aa1`	rtf-objdata-decoded	RTF \objdata at offset 0x1E54	3683 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.