RTF malware analysis — malicious · 647e49809ebc8769

MALICIOUS

RTF

772.8 KB First seen: 2018-11-20

MD5: 5902913b3fe716702efd9f9cb68d10ee SHA-1: 76b16256883a8240ab55f6302641d81a2dc84152 SHA-256: 647e49809ebc876966c4b568753df940361e7ceafa7b88a671534bd76da82332

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and triggers an \objupdate, indicating an attempt to activate embedded content. Critical heuristics identify the CVE-2017-11882 vulnerability, commonly exploited via the Equation Editor, which allows for arbitrary code execution. This suggests the file's primary purpose is to exploit this vulnerability, likely as a precursor to downloading and executing a secondary payload.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001f17.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1F17	4151 bytes
SHA-256: `c819b8b379b02a8968549f7d2f51b8f1f8745bfc2fcbc76586d7ba8179377c03`

Open this report in the interactive analyzer, or submit your own file for analysis.