Malicious RTF — malware analysis report

Static analysis result for SHA-256 749340c532f2c022…

MALICIOUS

RTF

259.4 KB First seen: 2020-04-06
MD5: 53d0f37dd174272785bb03a8098311ca SHA-1: a5f0196f76d2589aba133bce0e22d8ef6f9e7979 SHA-256: 749340c532f2c0222c049eb9141e2e74c3cec4df947fdb908657da01dec2d378
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains an embedded OLE object. Static analysis identified a critical heuristic indicating the presence of the CVE-2017-11882 vulnerability, which is a known exploit for Microsoft Equation Editor. The ".objupdate" heuristic suggests that the embedded object is designed to be activated, leading to the exploitation of this vulnerability. This is a common method for attackers to achieve arbitrary code execution, typically to download and run a second-stage payload.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000e0d.bin rtf-objdata-decoded RTF \objdata at offset 0xE0D 4158 bytes
SHA-256: 4acfdec91a46a8d0b9748bb4a1876d391d00fb8e13652032d9c98a530a196bbc

Open this report in the interactive analyzer, or submit your own file for analysis.