Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 864ca06cb2639dff…

MALICIOUS

RTF / .DOC

201.0 KB First seen: 2021-10-26
MD5: e903937e230202d7e10d7fba932d5610 SHA-1: 722518727b7305a8b6373a101d0e53192d02239e SHA-256: 864ca06cb2639dff92682c0f3645b523514425bc5112ba57214a4f71de5eea6b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an RTF document that contains embedded OLE objects, a common technique for exploiting vulnerabilities. Specifically, the 'CVE_2017_11882' heuristic firing indicates exploitation of the Equation Editor vulnerability. This vulnerability allows for arbitrary code execution, which is likely used to download and execute a secondary payload, hence the 'Exploitation for Client Execution' technique. The presence of OLE objects and the specific CVE points to a malicious document, likely delivered via spearphishing.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001b26.bin
15b819a3c35e0790fda6ffc253b0998191239c1cb6250c7899a61e39cd087870		 rtf-objdata-decoded RTF \objdata at offset 0x1B26 4171 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.