Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f0916d0a5c76f29c…

MALICIOUS

RTF / .DOC

30.7 KB
MD5: 41d03e0ba98a2dee7519754558a9f528 SHA-1: 5d97838acbd7e751d97b180d6990f4ab9613e2e8 SHA-256: f0916d0a5c76f29cfa34f43b68ead1840ae8499715aa7865cd17710f485af5c4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document containing OLE object data, specifically triggering the RTF_EQUATION_EDITOR heuristic. This indicates the presence of a malicious Equation Editor exploit. The ".objupdate" directive further suggests that the OLE object is designed to be activated automatically, likely leading to the execution of a payload. The embedded objdata, while not directly readable, is the likely carrier of the exploit code. The high confidence is due to the clear exploitation pattern indicated by the heuristics.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000078d.bin
7c084ad4e50e8c79c060f5d8f4e81fdf9a9305a47d0f0926b4a1e250ffdf74de		 rtf-objdata-decoded RTF \objdata at offset 0x78D 1774 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.