Malicious RTF — malware analysis report

Static analysis result for SHA-256 03af5d4a9bd55308…

MALICIOUS

RTF

28.4 KB First seen: 2019-02-04
MD5: f74526cae725e6f4f5ff84cd8c4ab0e9 SHA-1: f1a41dfa37df04977e44574dca01b16cf44cc387 SHA-256: 03af5d4a9bd5530852fa9312068adf18356e479d1c236ac1b04ff8431f3ee8e0
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and triggers an \objupdate directive, indicating an attempt to activate embedded objects. Heuristics confirm the exploitation of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor, which allows for arbitrary code execution. The file is classified as malicious due to this exploit.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C 4140 bytes
SHA-256: 117fc50cf20bd08619fa88186e6f5360aa3f2de31b4e483cfa9d445a30bf2cf0