Malicious RTF — malware analysis report

Static analysis result for SHA-256 90fc3b91a67fea69…

MALICIOUS

RTF

156.2 KB Created: 2017-11-23 01:06:00 First seen: 2019-08-04
MD5: fee7bc1ab1f53a82dedae22bac722a5a SHA-1: 86f29dfb0a91628d145ec978baa8c756237bdbcb SHA-256: 90fc3b91a67fea6982e59191772c4e88b589f6d4747e8e94ec0234e956daa5f6
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains multiple OLE object data sections and triggers heuristics related to Equation Editor exploitation and OLE object activation. ClamAV specifically identifies this as Rtf.Exploit.CVE_2018_0802-6825822-0, indicating a known vulnerability in the Equation Editor component. This suggests the file is designed to exploit CVE-2018-0802 to achieve code execution.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 8 \objdata section(s) — embedded OLE objects

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00007803.bin rtf-objdata-decoded RTF \objdata at offset 0x7803 2624 bytes
SHA-256: 27f8f0d05db12b380b9c7fac063fd2122e9deafb44f481a5df93a06255830c59
objdata_01_off00008ed1.bin rtf-objdata-decoded RTF \objdata at offset 0x8ED1 697 bytes
SHA-256: 5c1695d83a6094492dfb625ef6b1dd32fd7b4822b4312b8fbb8af16d37506188
objdata_02_off00009691.bin rtf-objdata-decoded RTF \objdata at offset 0x9691 747 bytes
SHA-256: 7e205bc3bf94c3dccec957716f32e146f03ccfa7fdc1b3cabb4d225d0f64c300
objdata_03_off00009eb5.bin rtf-objdata-decoded RTF \objdata at offset 0x9EB5 256 bytes
SHA-256: 29f9feabb81505b1f9507fa75b3cf8786b98a1e7733500e50df20f8680be5434
objdata_04_off0000a311.bin rtf-objdata-decoded RTF \objdata at offset 0xA311 2637 bytes
SHA-256: 3b8e05136fc38506737c409d2ed1e11d4801b1ee6a5dd206c48785f9dbc2d81c
objdata_05_off0000bb25.bin rtf-objdata-decoded RTF \objdata at offset 0xBB25 4681 bytes
SHA-256: 8f8a9b4c48227d768fadfa41927656cfdd58236ec9d3ce19c981f1e410b21bfc
objdata_06_off0000e330.bin rtf-objdata-decoded RTF \objdata at offset 0xE330 3979 bytes
SHA-256: e64452940e6a40ed9bd678227a8d53771f1d47a9c69d646d102cab8dc49427ee
objdata_07_off000105c1.bin rtf-objdata-decoded RTF \objdata at offset 0x105C1 2600 bytes
SHA-256: f76517aca4271d497ab3ae872cbacf1a810337193103d90d371089dd2d1824fe

Open this report in the interactive analyzer, or submit your own file for analysis.