This is a maldoc analysis submitted by reader Ahmed Elshaer.
I have come across a malicious rtf file that can be found here. I have started investigating it as usual using Didier Tool rtfdump.
As you can see it have a lot of nested strings, and only one of the strings had a control word of an object although it was not marked by as object 'O'.
By selecting the object 157 and hex decoding the output, we can see that this object is calling Equation Editor EQNEDT32.EXE, which is another Microsoft component.
This Powershell encoded command here can be decoded using base64dump.
And we can see it gets downloaded as svchost.exe which then will be executed as you can see in the VBScript.
Jul 21st 2019
8 months ago