RTF / .DOC malware analysis — malicious · 517b5f1651194679

MALICIOUS

RTF / .DOC

19.3 KB First seen: 2022-08-24

MD5: 0fa3a8bc413f7eba1aa991f5ac1b8bf2 SHA-1: 79ede869eaabe1f029f6fa60ca4650969a9d7954 SHA-256: 517b5f1651194679e76972dfedeb10b472fa65415755769fce868a4b25e92807

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an RTF document that leverages the CVE-2017-11882 Equation Editor vulnerability. The presence of OLE object data and an \objupdate directive strongly indicates an attempt to trigger code execution. The document body contains a lure to 'enable editing', which is a common tactic for macro-based malware or exploit documents to bypass security measures.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000018dc.bin` `b7569b70c53ae6f5b3759a62f19ba20b1aba027752fa2600fb2109730db0c72c`	rtf-objdata-decoded	RTF \objdata at offset 0x18DC	4311 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.