equation editor exploit — RTF malware analysis

Static analysis result for SHA-256 4a18203a22c9250d…

MALICIOUS

RTF

7.2 KB First seen: 2019-12-10
MD5: 1ea4959a0ee8bdaec87cc05559d64186 SHA-1: 6e82aa8014fc3db3c371804d0e2191f6e1c74d43 SHA-256: 4a18203a22c9250da9f3143be264fccec06852a270d0b060a08369c82505c99b
160 Risk Score

Malware Insights

equation editor exploit · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data, specifically triggering the Equation Editor CLSID. The ".objupdate" directive forces OLE activation, indicating an attempt to exploit a vulnerability within the Equation Editor component to achieve arbitrary code execution.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000036.bin rtf-objdata-decoded RTF \objdata at offset 0x36 3644 bytes
SHA-256: e524d40004326b869600e7cf301abf76589d4844e4bc5c68897b99714ac97ba7