MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains evidence of an embedded OLE object and specifically triggers heuristics related to the Equation Editor vulnerability. This indicates the file is designed to exploit CVE-2017-11882, allowing for arbitrary code execution upon opening. The presence of heap spray patterns further supports the exploitation attempt.
Heuristics 4
-
Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITORRTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x07 bytes found
Disassembly
Attempted x86 opcode disassembly00000035 07 pop es 00000036 07 pop es 00000037 07 pop es 00000038 07 pop es 00000039 07 pop es 0000003A 07 pop es 0000003B 07 pop es 0000003C 07 pop es 0000003D 07 pop es 0000003E 07 pop es 0000003F 07 pop es 00000040 07 pop es 00000041 07 pop es 00000042 07 pop es 00000043 07 pop es 00000044 07 pop es 00000045 07 pop es 00000046 07 pop es 00000047 07 pop es 00000048 07 pop es 00000049 07 pop es 0000004A 07 pop es 0000004B 07 pop es 0000004C 07 pop es 0000004D 07 pop es 0000004E 07 pop es 0000004F 07 pop es 00000050 07 pop es 00000051 07 pop es 00000052 07 pop es 00000053 07 pop es 00000054 07 pop es 00000055 07 pop es 00000056 07 pop es 00000057 07 pop es 00000058 07 pop es 00000059 07 pop es 0000005A 07 pop es 0000005B 07 pop es 0000005C 07 pop es 0000005D 07 pop es 0000005E 07 pop es 0000005F 07 pop es 00000060 07 pop es 00000061 07 pop es 00000062 07 pop es 00000063 07 pop es 00000064 07 pop es 00000065 07 pop es 00000066 07 pop es 00000067 07 pop es 00000068 07 pop es 00000069 07 pop es 0000006A 07 pop es 0000006B 07 pop es 0000006C 07 pop es 0000006D 07 pop es 0000006E 07 pop es 0000006F 07 pop es 00000070 07 pop es 00000071 07 pop es 00000072 07 pop es 00000073 07 pop es 00000074 07 pop es 00000075 07 pop es 00000076 07 pop es 00000077 07 pop es 00000078 07 pop es 00000079 07 pop es 0000007A 07 pop es 0000007B 07 pop es 0000007C 07 pop es 0000007D 07 pop es 0000007E 07 pop es 0000007F 07 pop es 00000080 07 pop es 00000081 07 pop es 00000082 07 pop es 00000083 07 pop es 00000084 07 pop es 00000085 07 pop es 00000086 07 pop es 00000087 07 pop es 00000088 07 pop es 00000089 07 pop es 0000008A 07 pop es 0000008B 07 pop es 0000008C 07 pop es 0000008D 07 pop es 0000008E 07 pop es 0000008F 07 pop es 00000090 07 pop es 00000091 07 pop es 00000092 07 pop es 00000093 07 pop es 00000094 07 pop es
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00009612.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9612 | 1877 bytes |
SHA-256: 48f9398728e292b48030fef71dcb1289869afcf7111f468f60ee0df53de9d1d3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.