Malicious RTF — malware analysis report

Static analysis result for SHA-256 48f6abaf06c8556d…

MALICIOUS

RTF

269.7 KB First seen: 2019-05-16
MD5: b9ab4fb87d860825c529d2a5d7c84999 SHA-1: 6a549e5a5e4079d0fdbc5917b0d9dd63dce582ed SHA-256: 48f6abaf06c8556d89145929a25b467b4cae44a2e53727796553bfdd519633e5
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains a critical heuristic indicating the presence of CVE-2017-11882, which is a known vulnerability in Microsoft Equation Editor. The presence of OLE objects and the specific 'EquaTIon.3' class strongly suggest exploitation of this vulnerability for client-side execution. The file is likely delivered as a spearphishing attachment.

Heuristics 5

  • Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000117d.bin rtf-objdata-decoded RTF \objdata at offset 0x117D 81909 bytes
SHA-256: 6b59663a0cbeed938b73af67739d8cf319f6185bb952400771776a6509c475db