Malicious RTF — malware analysis report

Static analysis result for SHA-256 980e5638f3f80f17…

MALICIOUS

RTF

72.3 KB
MD5: ed5bfdd8f29f33ac84f34a5d8c35911e SHA-1: 728729be2e5c819316897a3551a39e452eaa7dc8 SHA-256: 980e5638f3f80f17a293ef3b00771f346e8c4867305310831df83e15d28cb729
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that triggers the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution, which is the primary attack vector observed. No further payloads or network indicators were extracted from this specific file.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000149.bin
caeb46387fcaa41da6d1d1b3b9ba91808660eef96bdfa37b3f3e98f04bfca647		 rtf-objdata-decoded RTF \objdata at offset 0x149 3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.