RTF malware analysis — malicious · 0f09c4f2f896288f

MALICIOUS

RTF

71.8 KB

MD5: dced57e04173258e8be679e517b0c633 SHA-1: ee1141c06c761d46497a7c28451bc18da4602880 SHA-256: 0f09c4f2f896288f10469fece54004470585ca0d407155b7ed93bd176260a40d

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that triggers the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution, indicating a malicious intent to compromise the system.

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000011b.bin` `b0dd7b889336299214ec5262d5e6b26c706fdb84445cfd9800d4adb88927884c`	rtf-objdata-decoded	RTF \objdata at offset 0x11B	3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.