Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 3c1a4f37e24ebf95…

MALICIOUS

RTF / .DOC

13.5 KB
MD5: 025393020781e0f69a558c4b2bf18a20 SHA-1: ec8225d9c0232cc336fdf95c948819bdb7d08370 SHA-256: 3c1a4f37e24ebf95493973bd584d3062944f4a87dc883b31f104f97cc6285808
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1566.001 Phishing: Spearphishing Attachment

The file is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor vulnerability (CVE-2017-11882). The presence of \objdata and \objupdate heuristics, along with the ClamAV detection for Rtf.Exploit.CVE_2017_11882, strongly indicates exploitation of this known flaw. The document body is heavily obfuscated and unreadable, suggesting it's designed to trigger the exploit rather than convey information. No scripts or further IOCs were extracted, but the exploit itself is the primary attack vector.

Heuristics 4

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000016c0.bin
af7070965ffd768bfd157ade6c41056393fcc58038ed03e112b5b7eee8c16323		 rtf-objdata-decoded RTF \objdata at offset 0x16C0 3664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.