Malicious RTF — malware analysis report

Static analysis result for SHA-256 8bdc6ccb6f12f5e2…

MALICIOUS

RTF

51.0 KB
MD5: 52cc52c7986d88389afdbdacc85d3063 SHA-1: 90d2e02849d7ddc958b622590b843dce09cfd57b SHA-256: 8bdc6ccb6f12f5e2a018bfff1af10436db6acce8398b1ba3252924e78333567f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that triggers the CVE-2017-11882 vulnerability in the Equation Editor. This vulnerability allows for arbitrary code execution, which is the primary attack vector observed. No further payloads or network indicators were extracted from this sample.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000010a.bin
0f9315f41ce26a1080680b8a6e1b97b0ad8a0153df708cea6f42dd1519c6b55b		 rtf-objdata-decoded RTF \objdata at offset 0x10A 3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.