Malicious RTF — malware analysis report

Static analysis result for SHA-256 f044c02fa90549da…

MALICIOUS

RTF

3.5 KB
MD5: 79f6a7543d65577041b6e60db871487e SHA-1: 79f9bfc7211f680bb2b1390e72f2700904c9c37f SHA-256: f044c02fa90549daa3544371c7e003b424db14944c4ca34d9f78170755a69809
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains critical heuristics indicating the presence of a vulnerable Equation Editor object, which is commonly exploited to achieve arbitrary code execution. The presence of OLE object data and the \objupdate command further suggest an attempt to trigger this exploit. This pattern is often used in spearphishing attachments to deliver a malicious payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000ab.bin
fc0ed77a8a58b0640f491286a4f510d5552edc4c20502d68a596f67714646003		 rtf-objdata-decoded RTF \objdata at offset 0xAB 1543 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.