RTF malware analysis — malicious · aa25c50a7430d027

MALICIOUS

RTF

48.3 KB First seen: 2021-02-18

MD5: 1efdb63fd54a959b758bbd4ed3c38187 SHA-1: d177f042687e1a3554f8b373a597c12ba3a30a0d SHA-256: aa25c50a7430d02767fa523574d44054fd73fb857bf8f93790f37d6546813eed

180 Risk Score

Heuristics 4

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00003d1e.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3D1E	12439 bytes
SHA-256: `b93201f224631d97d40acc25c75a50f8a5c4934ed2c914108fc6b0c396957a42`

Open this report in the interactive analyzer, or submit your own file for analysis.