Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f295a470ccd6b280…

MALICIOUS

RTF / .DOC

1.82 MB
MD5: e87b544a7d35d78cdc8cfc02156169f2 SHA-1: 43b56a7d15c56b178d82fcc050e0e3f2ae5d73ba SHA-256: f295a470ccd6b280cbac934788ba2cdd1c843ea2025696405fe495ae8abafd00
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains multiple indicators of malicious activity, including embedded OLE objects and a critical finding related to the Equation Editor exploit (CVE-2017-11882). The presence of `RTF_EQUATION_EDITOR` and `CVE_2017_11882_RELATED` heuristics strongly suggests the exploitation of this known vulnerability. The excessive hex-encoded data within OLE objects further supports the hiding of a payload. The attack pattern is consistent with weaponized documents leveraging known vulnerabilities for initial access.

Heuristics 6

  • Equation Editor OLE1 native payload — CVE-2017-11882 related critical CVE related CVE_2017_11882_RELATED
    RTF decodes to an OLE1 Equation.3 embedded object whose native data is large and payload-like, and \objupdate requests automatic activation. This is the delivery shape used by Equation Editor RCE documents such as CVE-2017-11882/CVE-2018-0802, but the malformed MTEF record needed for exact attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    RTF contains ~1865KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000ba.bin
9c4259f274d7b66dd12f6bf110a95f3d5220f29d6d94ece8e2a33027c2237627		 rtf-objdata-decoded RTF \objdata at offset 0xBA 938102 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.