Malicious RTF — malware analysis report

Static analysis result for SHA-256 740e3d70cd5db72d…

MALICIOUS

RTF

7.2 KB
MD5: 8ed0ce6cc04d34c578263ad2be0f2d50 SHA-1: 2ed7d15c7010254e5f391d3c5034eb88c391df0c SHA-256: 740e3d70cd5db72dee4fc167a15edb3e6ecbcbd3def1ba1c55f9386cb2948f01
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object that exploits the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution when the object is processed. The presence of this exploit strongly suggests the file is designed to deliver a malicious payload to the victim.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000030.bin
bea89d2d808c4a042210674bb7f25b9f3d9afc0e4daa65fd7adbf82162da1d70		 rtf-objdata-decoded RTF \objdata at offset 0x30 3628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.