RTF malware analysis — malicious · 4add41d16684def6

MALICIOUS

RTF

66.9 KB First seen: 2023-08-28

MD5: be361f6359d960ec5564594a62085e11 SHA-1: f2567fc900b8e840fc35d8426b6af8ee0f039224 SHA-256: 4add41d16684def6f4e439f0ce73ca41e4cdc44b0db409ec7495ca282b5e251b

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.005 PowerShell

The RTF file contains OLE object data and specifically triggers the CVE-2017-11882 heuristic, indicating exploitation of the Equation Editor vulnerability. The document body includes a lure to 'Enable editing' from a yellow bar, a common tactic to bypass security measures and facilitate exploitation. The embedded OLE object is likely a payload designed to be executed upon successful exploitation.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000375c.bin` `0d47f85dd34bce37ba21f2fdaa1eb098e32d882c9b89e806a1b626d35b9d21dd`	rtf-objdata-decoded	RTF \objdata at offset 0x375C	4167 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.