RTF / .DOC malware analysis — malicious · b4eb0cb5fc323e79

MALICIOUS

RTF / .DOC

67.7 KB First seen: 2023-08-28

MD5: 2fa1f6aa05985845ef2cdebc49b667d5 SHA-1: 28369139145b8dcd6146e76a89bd7671f3699345 SHA-256: b4eb0cb5fc323e79086181dd8d345038e9382ecf71a35a95236982154987eb10

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1566.001 Phishing: Spearphishing Attachment

The sample is an RTF document that exploits the CVE-2017-11882 Equation Editor vulnerability. The document body presents a fabricated financial audit report, instructing the user to 'Enable editing' to bypass security measures. This lure, combined with the known exploit, indicates a high likelihood of the document attempting to download and execute a secondary payload.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00003367.bin` `00f93261939381330cafc3928259e4d0f16927a4b2b3ba013452f0815d7ed6b7`	rtf-objdata-decoded	RTF \objdata at offset 0x3367	4161 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.