Malicious RTF — malware analysis report

Static analysis result for SHA-256 a08a43bdda3cfd9d…

MALICIOUS

RTF

113.1 KB Created: 2021-07-16 07:42:00
MD5: edcbf78340700dd401b12c9fc56908b8 SHA-1: 471ec293825f48b8231561923755c9adb041c6d7 SHA-256: a08a43bdda3cfd9d862854fac7522f3dab449dc1a75fa267a512dfff6cdeb335
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object that triggers the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution when the object is processed. The embedded URL is benign and does not appear to be part of the exploit chain.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000032d6.bin
a7bb8d0884e679e5e5ef667901736eb0c66fa87878047830050bc0f8511fb9d5		 rtf-objdata-decoded RTF \objdata at offset 0x32D6 3649 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.