Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f24391e7f0d22b52…

MALICIOUS

RTF / .DOC

4.7 KB
MD5: b354e397b0123735181fb69e093b1fb6 SHA-1: c85e12dd3730c46ebc85ba4a23df08a9e50a55af SHA-256: f24391e7f0d22b524413f4563cd6204286388e26532d161be173bf396788da1f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The file is an RTF document containing embedded OLE objects, specifically targeting the Equation Editor vulnerability. The presence of `RTF_EQUATION_EDITOR` and `RTF_OBJUPDATE` heuristics indicates that the document is designed to exploit this vulnerability upon opening, likely leading to arbitrary code execution. No document body text or scripts were extracted, but the heuristics strongly suggest a classic exploit delivery mechanism.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000c4.bin
5967aae50e3c34826ec2fa3f5f016eebca5c5d86f24dc830bc6815824f5a405a		 rtf-objdata-decoded RTF \objdata at offset 0xC4 2175 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.