Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f68e0d0d70d45d68…

MALICIOUS

RTF / .DOC

16.4 KB
MD5: 492215cbf3aa75e3b4fe1a21e1ec3551 SHA-1: bf2432d78ba60b8237d905d4907f03bea99e4364 SHA-256: f68e0d0d70d45d687e8f161727cd66401d1fa7ab2f64a629141c49e9e79c501c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is an RTF document that contains embedded OLE object data. Heuristics indicate the exploitation of the Equation Editor vulnerability (RTF_EQUATION_EDITOR) and that an objupdate command is used to trigger OLE activation (RTF_OBJUPDATE). This suggests the file is designed to execute code upon opening, likely to download and execute a second-stage payload.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000009ce.bin
5e694733a47029fedfbb196259cbd989a826f9319925fd77ab9fb55df10d364e		 rtf-objdata-decoded RTF \objdata at offset 0x9CE 1850 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.