Malicious RTF — malware analysis report

Static analysis result for SHA-256 4280a08600c93ecf…

MALICIOUS

RTF

7.2 KB First seen: 2020-02-04
MD5: 25fd79676ebc0afeacf93dc0ee3645ef SHA-1: 5ead1166106dcc357fc9ba9c3d07c48711d148a1 SHA-256: 4280a08600c93ecfc00cd4749f7c57319be6f0a8a2b11b4664f3e60f56b08584
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document containing an OLE object that triggers the Equation Editor vulnerability (CVE-2017-11882). This exploit is designed to execute arbitrary code on the victim's machine. The presence of ".objupdate" further indicates an attempt to force the activation of the embedded OLE object, confirming the exploit's intent.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C 3645 bytes
SHA-256: 4939908fa51882e1c27dde7934745c5186d0ccba07f7aa9c9dd6be1568ed4e80

Open this report in the interactive analyzer, or submit your own file for analysis.