Malicious RTF — malware analysis report

Static analysis result for SHA-256 9edccfa0353906bc…

MALICIOUS

RTF

202.8 KB Created: 2010-11-29 16:43:00 First seen: 2012-06-14
MD5: 52dc36e41fc80f5d4c75160b39dd0999 SHA-1: be184823eb61c6ab0b40406783107515c48c9cdf SHA-256: 9edccfa0353906bc72422c7cef39ef29ffb43ec8fdf3146ca49b85adf8dcb670
122 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains a critical heuristic firing for CVE-2010-3333, a known stack overflow vulnerability. This indicates the file is designed to exploit this vulnerability to achieve code execution on a vulnerable system. No other malicious indicators were found.

Heuristics 3

  • CVE-2010-3333 — pFragments RTF stack overflow critical CVE exact CVE_2010_3333
    RTF shape property pFragments has an oversized value, matching the CVE-2010-3333 stack-overflow trigger in Microsoft Word 2002/2003.
  • ClamAV: BC.Legacy.Exploit.CVE_2010_3333-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: BC.Legacy.Exploit.CVE_2010_3333-5
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In RTF body
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn RTF body
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn RTF body
    • http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.