Malicious RTF — malware analysis report

Static analysis result for SHA-256 799304cbde09c1e5…

MALICIOUS

RTF

56.5 KB
MD5: 95d0b0160f893ec51f0f01bcf7c0c662 SHA-1: 4ae620cb6ea6ed92e32d3f20c9b5390b3e4bcab7 SHA-256: 799304cbde09c1e5112692ff162f5ba9cbb5682ee2aa80d895fdaa14d06c8f68
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object that triggers the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution, indicating the file is designed to exploit this known flaw. No specific family could be identified, but the exploit mechanism is clear.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010f.bin
75bbe8690dc3af9f5f3a704edc8ed15c64b489673396911e45500f5a93879842		 rtf-objdata-decoded RTF \objdata at offset 0x10F 3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.