RTF malware analysis — malicious · 2ed07e573397f02e

MALICIOUS

RTF

8.1 KB First seen: 2018-10-07

MD5: e86d2cef69362558b3604ba8678ebe65 SHA-1: bcbc0db3fc1b3719e46d9d004e82e83c4a251bb7 SHA-256: 2ed07e573397f02e477b12828a9b4047d14acabfb634c2f067f675db0133942b

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object that triggers the Equation Editor vulnerability (CVE-2017-11882). This vulnerability allows for arbitrary code execution when the object is activated. The ClamAV detection signature directly confirms the exploitation of this known vulnerability.

Heuristics 4

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000003b.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3B	4140 bytes
SHA-256: `84c52b62df68b69cbbcb35b0a934cc4761274553a936923fe7ed0a4a8557762b`

Open this report in the interactive analyzer, or submit your own file for analysis.