RTF malware analysis — malicious · 50ee1f6dcd102822

MALICIOUS

RTF

85.9 KB

MD5: 14ade7403b17a7a878f614a5c1447dc5 SHA-1: 2a4b124df9f924cf7a6c9f4a47ad92d4543e9b9a SHA-256: 50ee1f6dcd1028225cd2f74a0e4c9507d72fa2704a6a85f31f8fee7c7c59a1ec

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an RTF document that contains an embedded OLE object. Static analysis identified a critical heuristic firing for CVE-2017-11882, indicating exploitation of a known vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution.

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000235d.bin` `1f8a1cf632a0eb068ef0d7dac14bb96f5945c553d6c67a68c61f3067a71105ca`	rtf-objdata-decoded	RTF \objdata at offset 0x235D	3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.