MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is an RTF document that contains critical heuristics indicating the exploitation of the Equation Editor vulnerability. The presence of OLE object data and an auto-linked OLE object further suggests that the document is designed to trigger an exploit. The heap spray pattern is commonly associated with exploit delivery mechanisms.
Heuristics 5
-
Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITORRTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x04 bytes found
Disassembly
Attempted x86 opcode disassembly000013F9 0404 add al, 4 000013FB 0404 add al, 4 000013FD 0404 add al, 4 000013FF 0404 add al, 4 00001401 0404 add al, 4 00001403 0404 add al, 4 00001405 0404 add al, 4 00001407 0404 add al, 4 00001409 0404 add al, 4 0000140B 0404 add al, 4 0000140D 0404 add al, 4 0000140F 0404 add al, 4 00001411 0404 add al, 4 00001413 0404 add al, 4 00001415 0404 add al, 4 00001417 0404 add al, 4 00001419 0404 add al, 4 0000141B 0404 add al, 4 0000141D 0404 add al, 4 0000141F 0404 add al, 4 00001421 0404 add al, 4 00001423 0404 add al, 4 00001425 0404 add al, 4 00001427 0404 add al, 4 00001429 0404 add al, 4 0000142B 0404 add al, 4 0000142D 0404 add al, 4 0000142F 0404 add al, 4 00001431 0404 add al, 4 00001433 0404 add al, 4 00001435 0404 add al, 4 00001437 0404 add al, 4 00001439 0404 add al, 4 0000143B 0404 add al, 4 0000143D 0404 add al, 4 0000143F 0404 add al, 4 00001441 0404 add al, 4 00001443 0404 add al, 4 00001445 0404 add al, 4 00001447 0404 add al, 4 00001449 0404 add al, 4 0000144B 0404 add al, 4 0000144D 0404 add al, 4 0000144F 0404 add al, 4 00001451 0404 add al, 4 00001453 0404 add al, 4 00001455 0404 add al, 4 00001457 0404 add al, 4
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000078db.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x78DB | 2071 bytes |
SHA-256: b83c617abc4519a6c51766ec71ee3b5e737ae6ccd73d483b8af901ae21ee050c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.