Malicious RTF — malware analysis report

Static analysis result for SHA-256 f2e28b48ee338fdd…

MALICIOUS

RTF

503.2 KB Created: 2019-05-13 21:30:00 Authoring application: Microsoft Word 11.0.5604 First seen: 2019-10-01
MD5: 8f1ab1f96b8322c9e02d87a431a98823 SHA-1: 5817ee876753e973f4a8aec6d2eef93a3dfdf046 SHA-256: f2e28b48ee338fddd97272b191a55641c7835ad687d7b65c8db1c5f747811c57
364 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple critical heuristic firings indicating exploitation of Equation Editor vulnerabilities (CVE-2017-11882 and CVE-2018-0798) through embedded OLE objects. This suggests the file is designed to execute arbitrary code upon opening. The presence of an embedded URL, although not directly used in the exploit chain, could be a secondary indicator of malicious intent, potentially for downloading further stages. The document body itself is a lure, impersonating an official government notice.

Heuristics 11

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • CVE-2018-0798 — Equation Editor Matrix record overflow critical CVE exact CVE_2018_0798
    RTF contains hex-encoded MTEF Matrix record exploit signature (NOP-sled 0x60 + padding 0x61 + return address 0x0BFB). CVE-2018-0798 exploits a stack buffer overflow in EQNEDT32.EXE's Matrix record parser and affected Equation Editor broadly, including builds patched for CVE-2017-11882. Widely used by APT groups (Conimes, KeyBoy, Emissary Panda, Rancor).
  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • ClamAV: Rtf.Dropper.Agent-6972699-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-6972699-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 4 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM
    RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lanhsuvietnam.gov.vn In RTF body

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0001c3bc.bin rtf-objdata-decoded RTF \objdata at offset 0x1C3BC 20720 bytes
SHA-256: 0918ede45d6abb022cd1e736f2cc1d509aa0dc4b2aa9708504143cfc20be9c92
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
objdata_01_off000265d2.bin rtf-objdata-decoded RTF \objdata at offset 0x265D2 11854 bytes
SHA-256: 341598f8f5a044e300446a36d93a9b5647ee93c2e8cd62d846da2d4e22f59406
objdata_02_off000265fc.bin rtf-objdata-decoded RTF \objdata at offset 0x265FC 35 bytes
SHA-256: d0771b17e6418e479f528fc4aa124822669975a78f8dc3e35cdc4b0f7c212c4e
objdata_03_off0002c41a.bin rtf-objdata-decoded RTF \objdata at offset 0x2C41A 167011 bytes
SHA-256: 3c0c98e040020aa55c3ba3b1d3783544a593c2c525dc5b19f81be3f5131bab37
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.65, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.