Malicious RTF — malware analysis report

Static analysis result for SHA-256 036c4926e1120648…

MALICIOUS

RTF

267.3 KB First seen: 2019-08-04
MD5: 46a1addd738cb56e452dce991d5d5ea8 SHA-1: b6d86adc5a19004043eed7f4ff380561f604a276 SHA-256: 036c4926e112064819f77ec0af669170363cf1b2ee8bb07498acd85fd733df63
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE object data and triggers an \objupdate directive, indicating an attempt to activate embedded content. Critical heuristics confirm the exploitation of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. This exploit allows for arbitrary code execution, which is typically used to download and run a secondary malicious payload.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001fdf.bin rtf-objdata-decoded RTF \objdata at offset 0x1FDF 4155 bytes
SHA-256: aebefb950062e78b569acba32ccd215ad87bc6d462e16e0c5e7645f9c34496b2