Malicious RTF — malware analysis report

Static analysis result for SHA-256 fdf8b6e1e7ec9bf5…

MALICIOUS

RTF

82.2 KB First seen: 2024-09-06
MD5: 61bdba492438e7930a49baaa44671829 SHA-1: 497ac98a348a550d5c9313ae4b9c23517599ba7b SHA-256: fdf8b6e1e7ec9bf55e54f1814b63e5f1590c67adf2718306b44aba2c2cd08a28
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object with a split Equation Editor ProgID, indicating exploitation of CVE-2017-11882. The \objupdate directive forces OLE activation, triggering the exploit. The objdata section likely contains the shellcode for executing a secondary payload, which is a common technique for malware delivery.

Heuristics 3

  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000110f.bin
7fad7bce5fee6abebd8d4012e2268125b017669ade515dd61798b695c1bc0120		 rtf-objdata-decoded RTF \objdata at offset 0x110F 1648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.