Malicious RTF — malware analysis report

Static analysis result for SHA-256 451813ba38de23d1…

MALICIOUS

RTF

32.8 KB First seen: 2019-04-17
MD5: 6941cb6f08c9d57fbd982cfd5237bbe3 SHA-1: d6a7373112e407ea6f736e438d97c7cf2ac7e9c8 SHA-256: 451813ba38de23d142f18d3f0e0de266bac1ffa18e0ee822c9c9a4bae469492a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and triggers an objupdate event, indicating it is designed to exploit embedded objects. ClamAV explicitly detects this file as Doc.Exploit.CVE_2017_11882-6934206-0, confirming the exploitation of the Equation Editor vulnerability. The document body content is heavily obfuscated and does not provide further insight into the attack's specific lure.

Heuristics 4

  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003b.bin rtf-objdata-decoded RTF \objdata at offset 0x3B 4130 bytes
SHA-256: 8060a606e5bc27951876d60c348675fa393e79fa970c55841acb58551579cacf