RTF malware analysis — malicious · 166e7e61f97edd96

MALICIOUS

RTF

836.6 KB First seen: 2019-01-11

MD5: 9dd2f24f4b8e22e537657bfdc4cc3fa5 SHA-1: fb0e3a1d4d088a973654635e67e102082d2e52ce SHA-256: 166e7e61f97edd96c3d2ed56fc56ccb6be31cde99e154c4ccb2be71eedc20cd0

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and triggers an \objupdate, indicating an attempt to activate embedded content. Critical heuristics identify the CVE-2017-11882 vulnerability within the RTF's decoded object data, a known exploit for Microsoft Equation Editor. This exploit is commonly used to achieve arbitrary code execution, likely for downloading and executing a secondary malicious payload.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000005e7.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x5E7	3627 bytes
SHA-256: `fed9740ad67ef7ca363d54eacc66f5a306f1eb625ebafaa73a1009d21e57ba2a`

Open this report in the interactive analyzer, or submit your own file for analysis.