Malicious RTF — malware analysis report

Static analysis result for SHA-256 9e64ba53b419529a…

MALICIOUS

RTF

15.7 KB First seen: 2019-08-04
MD5: ce8c481b26a679a92cd43d459d019012 SHA-1: 277c384fc0a86d0d82818d4a15fa403f719b4168 SHA-256: 9e64ba53b419529ae238f6efcbf5159728d1606b74d6c8fc2f64e25800881df1
220 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and specifically triggers the CVE-2017-11882 vulnerability related to the Equation Editor. This indicates an attempt to exploit a known vulnerability for client-side execution. The presence of ".objupdate" suggests that the embedded object is intended to be activated automatically. Given the nature of the exploit, the likely intent is to download and execute a secondary payload, making it a malicious spearphishing attachment.

Heuristics 5

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001c15.bin rtf-objdata-decoded RTF \objdata at offset 0x1C15 4164 bytes
SHA-256: 8f3a6882fb7c1c9c3293af8ab8c047acda88d8b9d4e6b279c35492980a2e9731