RTF malware analysis — malicious · 64076df03bf84049

MALICIOUS

RTF

97.4 KB Created: 2021-07-16 07:42:00

MD5: d722c03ffaf07655b11d27d9e1d42c87 SHA-1: 7acb5ebc19f524d2827851673b596ca5483fbeff SHA-256: 64076df03bf84049e28769d1bdd325437893928706613de0910441bc01048ec4

162 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate a critical vulnerability, CVE-2017-11882, which is a known font record overflow exploit within Equation Editor. This exploit allows for arbitrary code execution when the object is processed.

Heuristics 5

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000301d.bin` `0109f29ba73d8a06ba5b0763ff15e485d8a02093d47d8d94baa960f825669f10`	rtf-objdata-decoded	RTF \objdata at offset 0x301D	3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.