RTF malware analysis — malicious · 26e1aa4a6c504a3b

MALICIOUS

RTF

7.2 KB First seen: 2019-05-31

MD5: b9a2c7dcaf44e19ba0e0762cdd11faef SHA-1: ec2193977f9dc3a0cc6c1cc9f897d10105ebbf27 SHA-256: 26e1aa4a6c504a3bc908e391d0605c858bd5d9e7075140db67b3188a9176a148

220 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object with a CLSID indicative of the Equation Editor vulnerability (CVE-2017-11882). The presence of \objupdate further suggests that the OLE object is designed to be activated, triggering the exploit. This technique is commonly used to deliver malicious payloads via spearphishing attachments.

Heuristics 5

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000003a.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3A	3635 bytes
SHA-256: `4a0c5dac12dd29c33ff15504cf0e837e3eb718b7e2c145674ce627d17b38567b`

Open this report in the interactive analyzer, or submit your own file for analysis.