Malicious RTF — malware analysis report

Static analysis result for SHA-256 7da1354621173bc7…

MALICIOUS

RTF

96.7 KB First seen: 2024-06-19
MD5: 34188386f68ca343ef1438c555bf0cbd SHA-1: a5371abe153b87f86c1e59cbf34b0b3eba4591ec SHA-256: 7da1354621173bc76542bfc6f004b813c14f48e9aab4089321e87973182a6a33
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The RTF file contains embedded OLE object data and triggers an \objupdate event, indicating an attempt to activate embedded content. Critical heuristic firings confirm exploitation of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. This exploit allows for arbitrary code execution, which is typically used to download and run a secondary malicious payload.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014b1.bin
aa2c0e30e27b17a768ba5a510df17f02f1c88a88149726b90174e99c2a939546		 rtf-objdata-decoded RTF \objdata at offset 0x14B1 4186 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.