Malicious RTF — malware analysis report

Static analysis result for SHA-256 8b538e2ff73d61ee…

MALICIOUS

RTF

48.6 KB First seen: 2019-04-17
MD5: be8a87bcf0437db9b4caadea04b0285c SHA-1: 8c61c02f0b638c9a6050f9e354c78a131f37f8e7 SHA-256: 8b538e2ff73d61ee725fd40b3967ccf687725ab01c3514371eb9dda5c7fd4ea2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data and triggers an ".objupdate" directive, indicating an attempt to activate embedded objects. Heuristics confirm the presence of the CVE-2017-11882 vulnerability, which is a known exploit targeting Microsoft Equation Editor. This exploit allows for the execution of arbitrary code, likely to download and run a secondary payload.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C 4131 bytes
SHA-256: 1eac66de1928ff803a733b726d3871017816e6bc04d950e93f75a57d541ebd6d

Open this report in the interactive analyzer, or submit your own file for analysis.