Malicious RTF — malware analysis report

Static analysis result for SHA-256 9f7dbd2eedcea7f6…

MALICIOUS

RTF

8.2 KB
MD5: ee3316f4b322942bea0e270f8eb65a32 SHA-1: 97bbf283fb3204d8e190bb53fdda3ef2403d2433 SHA-256: 9f7dbd2eedcea7f609c78e983c1d63f951b0b9d997ef8abeed236412f3c5b4d5
143 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object that leverages the Equation Editor vulnerability (CVE-2017-11882). The ".bin" file extracted from the objdata section likely contains shellcode designed to execute arbitrary code upon activation, leading to a malicious payload delivery. No document body text or scripts were extracted, but the heuristics strongly indicate an exploit targeting the Equation Editor.

Heuristics 3

  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003d.bin
89b5098a3cdf6d0fc3c484b0cca9fb897a5fb2b9b5f6f78e5af10c725f59df07		 rtf-objdata-decoded RTF \objdata at offset 0x3D 4144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.