RTF malware analysis — malicious · 7d1cb23d1ce3f28b

MALICIOUS

RTF

156.4 KB

MD5: 8682fb4b8054013eb078dade2e05be40 SHA-1: aed8df5a21ebeb806d6e238fdb572dab1181aa2b SHA-256: 7d1cb23d1ce3f28ba46b88bd20deedfd25bbd9b48d7a91e9316deaad5cf80aa1

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object that triggers a critical heuristic for CVE-2017-11882, indicating an exploit targeting the Equation Editor vulnerability. This vulnerability allows for arbitrary code execution on the victim's machine.

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000238a.bin` `7a146d327df5addb9a93f69c03547d39c3a4b0b9b8f0eef03a4539ffa2c886f6`	rtf-objdata-decoded	RTF \objdata at offset 0x238A	28445 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.