RTF malware analysis — malicious · a1e8a12b2d4aca73

MALICIOUS

RTF

213.4 KB First seen: 2019-01-12

MD5: 7ae66c5907b6bd42eb74142610db70bd SHA-1: 4ee09e5a3b161df6d0f8aabd18f4d4453ceccaa6 SHA-256: a1e8a12b2d4aca737ee75f06ff29e6ebd64e664fd2b8dc2b9694eb43065b6d32

200 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE object data that triggers a known vulnerability in Microsoft Equation Editor (CVE-2017-11882). This exploit allows for arbitrary code execution, which is typically used to download and execute a second-stage payload. The ClamAV detection further confirms the malicious nature of the exploit.

Heuristics 5

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000194f.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x194F	50922 bytes
SHA-256: `ba0633635f814a86ffcfc0383ff87df2d5d8c38e4232f1e785e0d5c1db971f02`

Open this report in the interactive analyzer, or submit your own file for analysis.