Malicious RTF — malware analysis report

Static analysis result for SHA-256 f82f655de28bc06d…

MALICIOUS

RTF

33.3 KB
MD5: b0cafc7f6204410a97abce10fb3bbc37 SHA-1: 1c52b3ceb9052c9790689ea211be1f6717d6164b SHA-256: f82f655de28bc06daad9273269994d6d1f2663a348fb38546993e3b16dc5cecc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains critical heuristics indicating the use of the Equation Editor vulnerability (RTF_EQUATION_EDITOR) and an object update trigger (RTF_OBJUPDATE). This combination strongly suggests exploitation for client execution. The presence of OLE object data further supports this. As no document body or script content was available, the exact payload or further attack steps cannot be determined, leading to an 'unknown family' classification.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001056.bin
e861d41af007485c82183827d3e30564f64b4073502f55595bb5cba2489aa374		 rtf-objdata-decoded RTF \objdata at offset 0x1056 1355 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.