Malicious RTF — malware analysis report

Static analysis result for SHA-256 a6cb10ac74204550…

MALICIOUS

RTF

112.7 KB Created: 2021-07-16 07:42:00
MD5: 961b0755573a65eedd2c6b9316e28e91 SHA-1: 29ddd9170da4c5cdf0b62f21d3248441fe2428f5 SHA-256: a6cb10ac74204550e449e92277d73a1952937355eb899921704ff559ea381393
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that triggers a critical vulnerability, CVE-2017-11882, within the Microsoft Equation Editor. This exploit allows for arbitrary code execution on the victim's machine. No document body or script content was available for further analysis, but the exploit itself is sufficient to indicate malicious intent.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000032e3.bin
f22bee80794b2205921720384ba0060ec0575e2a63940bf75f2a890685223e84		 rtf-objdata-decoded RTF \objdata at offset 0x32E3 3629 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.