Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 f9560158d2d5467f…

MALICIOUS

RTF / .DOC

220.0 KB First seen: 2022-03-14
MD5: 1b63b5070e2933d6fdf097140d344b2c SHA-1: 21786c753aa273afb36d633454c81438e69404f6 SHA-256: f9560158d2d5467f2aac971022cfd4ca0056e686c6f47a2d9a56ac8424a0d0ad
135 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.003 Windows Command Shell

The sample is an RTF document containing embedded OLE objects, specifically triggering critical heuristics related to the Equation Editor vulnerability. The presence of \objupdate indicates that the embedded object is designed to be automatically activated upon opening, leading to the exploitation of the Equation Editor. This strongly suggests a malicious document designed to deliver a payload via this known exploit.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000000aa.bin
6d34eee026d03ed7fc3967507323cb0e06fae5396b2bf7882204bc9fee39bc02		 rtf-objdata-decoded RTF \objdata at offset 0xAA 71334 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.