RTF malware analysis — malicious · 4dda188b2af633f3

MALICIOUS

RTF

33.3 KB First seen: 2021-02-19

MD5: 42006b6e36ceea3298f2e13a637454c9 SHA-1: 7ba99cce0c03979d59007e702ac7ad6d92e9651e SHA-256: 4dda188b2af633f3e6c4a85791dafdaaa2e81833774f7cebad6e5b4b099f15b9

140 Risk Score

Heuristics 4

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000078.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x78	11688 bytes
SHA-256: `d818cd5c45ff7481359b52e1c7fbcc719c2a38d401460ac02b1aaf98df0c80ad`

Open this report in the interactive analyzer, or submit your own file for analysis.