RTF malware analysis — malicious · 2d1b4ea313cce0ee

MALICIOUS

RTF

9.2 KB First seen: 2019-05-16

MD5: 9b0927551ae7f08e4a2db49a81e16bff SHA-1: 1e48b32548770d0964c3178deb856e5bffb4413c SHA-256: 2d1b4ea313cce0ee490defa7944fd5c2d354a954c8666971784784f7db2fd432

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data and specifically triggers heuristics related to Equation Editor and OLE object activation. ClamAV detection confirms this is a known exploit targeting CVE-2017-11882, which allows for arbitrary code execution.

Heuristics 4

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000003c.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3C	4655 bytes
SHA-256: `e258129f2918c1f3c6ae5b72ade3df9f812272917d78e2f86281f131e8a022a7`

Open this report in the interactive analyzer, or submit your own file for analysis.