Malicious RTF — malware analysis report

Static analysis result for SHA-256 6fb58f7c57f9fe3c…

MALICIOUS

RTF

323.8 KB Created: 2021-02-12 04:30:00
MD5: 26d75f8d7dd9ba38f72dad773f0efb3f SHA-1: 9d7e1c64e13b95d8962d5d9f69192513a87d22f4 SHA-256: 6fb58f7c57f9fe3c05642783559bb940883c3eb5bb911ef5be7d5408cb77069e
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and specifically triggers a critical heuristic for Equation Editor, indicating exploitation of a known vulnerability (CVE-2017-11882). This technique is commonly used to achieve arbitrary code execution, typically to download and run a second-stage payload. The benign URL found is not considered an IOC.

Heuristics 4

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000122.bin
9aad1c0061f3791b599a65d8e888c8b915bd8019c83466d76089b50d9093b5e3		 rtf-objdata-decoded RTF \objdata at offset 0x122 3630 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.