Malicious RTF — malware analysis report

Static analysis result for SHA-256 f84363d803894272…

MALICIOUS

RTF

34.7 KB First seen: 2019-03-10
MD5: 83284f99da1ed6c32d838dbaa6e621e4 SHA-1: 3f18cf9463bdd92361c95e9a58402ce5089d3139 SHA-256: f84363d8038942720d44aaa963e947787045cfb6e8ceb96be3635197d433f65c
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains critical heuristics indicating the exploitation of the Equation Editor vulnerability. The presence of OLE object data and an auto-linked OLE object further suggests that the document is designed to trigger an exploit. The heap spray pattern is commonly associated with exploit delivery mechanisms.

Heuristics 5

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    000013F9  0404              add al, 4
    000013FB  0404              add al, 4
    000013FD  0404              add al, 4
    000013FF  0404              add al, 4
    00001401  0404              add al, 4
    00001403  0404              add al, 4
    00001405  0404              add al, 4
    00001407  0404              add al, 4
    00001409  0404              add al, 4
    0000140B  0404              add al, 4
    0000140D  0404              add al, 4
    0000140F  0404              add al, 4
    00001411  0404              add al, 4
    00001413  0404              add al, 4
    00001415  0404              add al, 4
    00001417  0404              add al, 4
    00001419  0404              add al, 4
    0000141B  0404              add al, 4
    0000141D  0404              add al, 4
    0000141F  0404              add al, 4
    00001421  0404              add al, 4
    00001423  0404              add al, 4
    00001425  0404              add al, 4
    00001427  0404              add al, 4
    00001429  0404              add al, 4
    0000142B  0404              add al, 4
    0000142D  0404              add al, 4
    0000142F  0404              add al, 4
    00001431  0404              add al, 4
    00001433  0404              add al, 4
    00001435  0404              add al, 4
    00001437  0404              add al, 4
    00001439  0404              add al, 4
    0000143B  0404              add al, 4
    0000143D  0404              add al, 4
    0000143F  0404              add al, 4
    00001441  0404              add al, 4
    00001443  0404              add al, 4
    00001445  0404              add al, 4
    00001447  0404              add al, 4
    00001449  0404              add al, 4
    0000144B  0404              add al, 4
    0000144D  0404              add al, 4
    0000144F  0404              add al, 4
    00001451  0404              add al, 4
    00001453  0404              add al, 4
    00001455  0404              add al, 4
    00001457  0404              add al, 4
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000078db.bin rtf-objdata-decoded RTF \objdata at offset 0x78DB 2071 bytes
SHA-256: b83c617abc4519a6c51766ec71ee3b5e737ae6ccd73d483b8af901ae21ee050c