Malicious RTF — malware analysis report

Static analysis result for SHA-256 91e7fff3030c66a5…

MALICIOUS

RTF

52.8 KB First seen: 2018-11-20
MD5: bb93f8886d03476d73a2fddbc75fe3c3 SHA-1: c4a5556d9a898ff43b359322bc17f0e11d3068fe SHA-256: 91e7fff3030c66a5db2bd0641c7de3deb61cf1a6c49d9865338030e3cb948d35
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and an \objupdate directive, which are indicators of an embedded exploit. ClamAV specifically identifies this file as Doc.Exploit.CVE_2017_11882-6934206-0, confirming the exploitation of the Equation Editor vulnerability (CVE-2017-11882). This exploit allows for arbitrary code execution on the victim's machine.

Heuristics 3

  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003a.bin rtf-objdata-decoded RTF \objdata at offset 0x3A 4142 bytes
SHA-256: b387482df76bf3b7369d1a027381f4f030feb1968c6b0224d0f0afbed5e95dff

Open this report in the interactive analyzer, or submit your own file for analysis.