Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f1bc334cace7d467…

MALICIOUS

RTF / .DOC

66.8 KB First seen: 2023-01-20
MD5: d19815a6fa3fed3a5157882dfaa7159c SHA-1: 5d2ad4ef0a637e8b049d8bd8157d0d2c1a364824 SHA-256: f1bc334cace7d46749cce870fa2b4e848294c57ddfc9e2a8907abae52a98997c
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Visual Basic

The sample is an RTF document containing an embedded OLE object specifically targeting the Equation Editor vulnerability (CVE-2017-11882). The presence of \objupdate and the Equation Editor ProgID strongly indicate an attempt to trigger this known exploit. The document also contains a lure instructing the user to 'Enable editing', a common tactic to bypass security measures. The exploit is likely used to download and execute a secondary payload.

Heuristics 6

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000042e1.bin
253fb78cc0cf12aea65494db64fe3fecb98e4032ad54d59f02ad8409caf3a0a0		 rtf-objdata-decoded RTF \objdata at offset 0x42E1 1357 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.