Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 fd5f1521057e7a9c…

MALICIOUS

RTF / .DOC

17.9 KB
MD5: 0ff066602a6d1658008a48d0b65d4559 SHA-1: 79a540a7da6f67826001257bb76c5185ec567538 SHA-256: fd5f1521057e7a9cbd246c4fef4383cc83c4c47241e0f62de0b7145b92e83460
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains embedded OLE objects, specifically triggering the Equation Editor vulnerability. The ".objupdate" directive forces OLE activation, indicating an attempt to exploit this vulnerability. The presence of the Equation Editor CLSID is a strong indicator of this attack vector. No scripts were extracted, and the document body was heavily obfuscated, but the heuristics clearly point to an Equation Editor exploit.

Heuristics 4

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001d79.bin
6e30a359e9ae3c28cabc2f649b2f18f15d854c5a62e3e8c0233e402f270f7de6		 rtf-objdata-decoded RTF \objdata at offset 0x1D79 4169 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.