RTF malware analysis — malicious · 813256c18f2e1a71

MALICIOUS

RTF

169.6 KB First seen: 2020-12-25

MD5: 9b697941f452511db80fd393c199b44e SHA-1: 7c744b25f58cd86df4d3ecc73758b6474270a2f2 SHA-256: 813256c18f2e1a71db342b1718fe09dd86a42711db228375f917b1158b00de76

140 Risk Score

Heuristics 4

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000a0.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xA0	59600 bytes
SHA-256: `dbd5115c4910f4ef6e3b82c9c503da3570601fd1f8984ceae283726d061f5cc4`

Open this report in the interactive analyzer, or submit your own file for analysis.