RTF malware analysis — malicious · 1f810e0c8a5a5f92

MALICIOUS

RTF

8.4 KB Authoring application: Riched20 6.3.9600

MD5: b44a2e9d3476270c88465fc79f5b3f56 SHA-1: f61cf60ec9a70c5ee0c836853caa5013d833ca2f SHA-256: 1f810e0c8a5a5f9286f84b79019329a529440f68e3913ce8a7137e9149d6b956

260 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an RTF document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate the use of \objupdate, forcing OLE activation, and the presence of Equation Editor CLSID and object class. ClamAV detection confirms this is Rtf.Exploit.CVE_2017_11882-6584355-1, a known exploit targeting CVE-2017-11882. This vulnerability allows for arbitrary code execution when the embedded object is activated.

Heuristics 6

Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
Equation Editor object class critical RTF_OBJCLASS_EQUATION

Object class 'equation.3' references Equation Editor
ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000100.bin` `d26f5d2b3406d346113b358ad58f7fd31a74bf5277b6efa1f89bba3a12513263`	rtf-objdata-decoded	RTF \objdata at offset 0x100	3546 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.