Malicious RTF — malware analysis report

Static analysis result for SHA-256 a8317adfeb88bfba…

MALICIOUS

RTF

231.5 KB First seen: 2019-01-25
MD5: d47d48c1535d43c6337cc7a4b3cedf0d SHA-1: bcf91b63a596604070f892237c8eea0074f7fb1e SHA-256: a8317adfeb88bfba641cfd271e02a0e944d3bdae55c3fa088650800c1d18fe93
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an RTF document containing an embedded OLE object that triggers an automatic update, indicative of an exploit. ClamAV specifically identifies this as Doc.Exploit.CVE_2017_11882-6934206-0, confirming the exploitation of the Equation Editor vulnerability. This technique is commonly used to achieve arbitrary code execution, likely for downloading and running a subsequent stage.

Heuristics 4

  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000a41.bin rtf-objdata-decoded RTF \objdata at offset 0xA41 56074 bytes
SHA-256: 0330cfcd2fb99f1463c740f28026eac835c4b62d2d6921b48f563c44e7c03dbd

Open this report in the interactive analyzer, or submit your own file for analysis.