Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 8b41d1a405ecb749…

MALICIOUS

RTF / .DOC

14.2 KB
MD5: 0a8d6e5514c7329bdbd4411cb7005c28 SHA-1: e5acd4a420f3522740c4ddad41b3679e8672af67 SHA-256: 8b41d1a405ecb749ac8ef7e4b786317f796689621e33dac57c4215a813337c2a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The file is an RTF document that contains an embedded OLE object, specifically targeting the Equation Editor vulnerability (CVE-2017-11882). This is a common technique for exploiting client-side vulnerabilities to execute arbitrary code. The ClamAV detection signature directly confirms the exploit. No document body or script content was available for further analysis, but the exploit itself is sufficient to classify the attack pattern.

Heuristics 5

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001202.bin
484cf631c7e8e98cb4c0dc3426812bc61534edf86e0bcac79f44995a4baeeeb6		 rtf-objdata-decoded RTF \objdata at offset 0x1202 4702 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.