Malicious RTF — malware analysis report

Static analysis result for SHA-256 f17e349fa98aec72…

MALICIOUS

RTF

83.8 KB First seen: 2024-09-22
MD5: 0d757ee344608da8c37c0615639f3cca SHA-1: be8d439ed5bd4907a4fb8efb7e58aa1a0218692a SHA-256: f17e349fa98aec72551071ff1751161e4e563ded8e7d2719be9de3f26f8946c6
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document containing an embedded OLE object that leverages a vulnerability in the Equation Editor. The ".objupdate" directive forces the activation of this object, which is highly indicative of an exploit attempting to download and execute a secondary payload. The presence of multiple critical and high severity heuristics related to Equation Editor exploitation strongly supports this conclusion.

Heuristics 4

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001862.bin
ced9120765d680048414100ae26dc31012e72c9634be17e05e257fa2badff0a0		 rtf-objdata-decoded RTF \objdata at offset 0x1862 1658 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.