Malicious RTF — malware analysis report

Static analysis result for SHA-256 1405144b8dd049ea…

MALICIOUS

RTF

38.4 KB
MD5: 97111db868fec63bbec240afe948caa0 SHA-1: ed4250df314994195ced2da5292f4cefda0abd49 SHA-256: 1405144b8dd049eaf83b54482175ba84d71360ac537fc9639049e2ace2cb4e07
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object and specifically triggers the Equation Editor CLSID heuristic, indicating exploitation of a vulnerability within it. The document body contains a lure to 'enable editing', which is a common tactic to bypass security measures and execute embedded malicious content. This suggests the file is designed to exploit a client-side vulnerability via a malicious attachment.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Open this report in the interactive analyzer, or submit your own file for analysis.