RTF malware analysis — malicious · 378a3247352d5a1a

MALICIOUS

RTF

271.8 KB Created: 2021-02-12 04:30:00

MD5: 32083ceb8360f31149393affbeaca614 SHA-1: da324414701b2a533d360349917e443a7727f1ad SHA-256: 378a3247352d5a1ae9ab898080ff29c6a8b5c5adb10ea8eddfb9a58ab19a76d5

102 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and specifically triggers the CVE-2017-11882 heuristic, indicating exploitation of the Equation Editor vulnerability. This vulnerability allows for arbitrary code execution, which is commonly used to download and run additional malicious payloads. The document body content appears to be a lure related to Afghan refugees and schools, a common tactic for social engineering.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001bc4.bin` `0109f29ba73d8a06ba5b0763ff15e485d8a02093d47d8d94baa960f825669f10`	rtf-objdata-decoded	RTF \objdata at offset 0x1BC4	3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.