Malicious RTF — malware analysis report

Static analysis result for SHA-256 1f8507b543a8cd29…

MALICIOUS

RTF

509.2 KB First seen: 2018-10-26
MD5: 07d5520ee7e0c52871f4dd45c75a031d SHA-1: 34738593bd2bf87a4b740fbb8be4828efb11f407 SHA-256: 1f8507b543a8cd2997901a3adbb0477a0db84bbf2f218213d927ee6416923aae
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and triggers an \objupdate directive, indicating an attempt to activate embedded content. Crucially, it fires a critical heuristic for CVE-2017-11882, a known vulnerability in Microsoft Equation Editor that allows for arbitrary code execution. This exploit is typically used to download and execute a secondary payload, making the initial RTF file a likely delivery mechanism via spearphishing.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000eff.bin rtf-objdata-decoded RTF \objdata at offset 0xEFF 4158 bytes
SHA-256: 9525410563573faba87fe1d53f834eac59babbd5631c539947771696d3cd2551

Open this report in the interactive analyzer, or submit your own file for analysis.