Malicious RTF — malware analysis report

Static analysis result for SHA-256 ad4ba8dbbda7cddd…

MALICIOUS

RTF

46.9 KB First seen: 2019-01-11
MD5: 6979695122310f9f0892739654744ce5 SHA-1: a33152d20cdbf601883abd66cdcc1760f765095e SHA-256: ad4ba8dbbda7cdddde5492e088b0cbb18de50ffd5965fc19d84ca2b381469067
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains embedded OLE object data and triggers an OLE activation event, strongly indicating an exploit. ClamAV detection confirms this, identifying the exploit as CVE-2017-11882. This vulnerability allows for arbitrary code execution when the embedded object is activated.

Heuristics 3

  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C 3646 bytes
SHA-256: 5f93d43fec553f2595a1e0be197034a54358236698fa7b40477b51f24bf36e7d

Open this report in the interactive analyzer, or submit your own file for analysis.