Malicious RTF — malware analysis report

Static analysis result for SHA-256 686949fb6b1414ee…

MALICIOUS

RTF

32.1 KB First seen: 2019-01-11
MD5: 10e51213b3173d82997644193d75da79 SHA-1: f5d3d2e8db64cda151552d1f7bbd8ed29a7d43d7 SHA-256: 686949fb6b1414ee1dfa87db93411bd679f6b0b3313245314f4f0899d503ca94
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and triggers an \objupdate event, indicating an attempt to activate embedded objects. Critical heuristics confirm the exploitation of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor, which allows for arbitrary code execution. This exploit is commonly delivered via spearphishing attachments.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C 3638 bytes
SHA-256: 6a1f05815c94c5fcc55c33cb71f0dec81164e99ce74c1b58dd6fabb1febac92d

Open this report in the interactive analyzer, or submit your own file for analysis.