Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f04fcc5e3bacf644…

MALICIOUS

RTF / .DOC

24.0 KB
MD5: 79848070748b41bd7da88b85e6a2d377 SHA-1: f0d5e231a978c359365258a42d0c76c762fd5034 SHA-256: f04fcc5e3bacf644a1063cf8186101612ee96c7070f533ebac408b754f2b9ac8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: User Execution

The sample is an RTF document that contains embedded OLE object data, specifically targeting the Equation Editor vulnerability. The \objupdate directive indicates that the embedded object will be activated upon opening, likely leading to the execution of a malicious payload. This is a common technique for delivering exploits that download and run further malware. No specific family could be identified, but the attack pattern is clear.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001a29.bin
bbbe4d0a6ae7a603f769fd7fee36c741568e305ce411e2f6a6aff853c3be266a		 rtf-objdata-decoded RTF \objdata at offset 0x1A29 1786 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.