Malicious RTF — malware analysis report

Static analysis result for SHA-256 a477f004306768b6…

MALICIOUS

RTF

84.2 KB
MD5: 4d316dcf557782122df821f1247014ed SHA-1: c99af339835efbe17635cdf448bf2b43cde87fc2 SHA-256: a477f004306768b68f1f0bd7b4acda694d612b2e5e4c75712218b77c120a99f8
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristics indicate the presence of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. This vulnerability is typically exploited through specially crafted RTF documents, often delivered via spearphishing attachments, to achieve arbitrary code execution. The presence of OLE object data further supports this attack vector.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000023e3.bin
e996b8095d06ecda6c36426dce4dcba96e7a61487ed4b8014b148d5040a25328		 rtf-objdata-decoded RTF \objdata at offset 0x23E3 3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.