Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 b83b5c335af90d63…

MALICIOUS

RTF / .DOC

240.6 KB
MD5: 5f782c3139d89e3235c7c5cfdb971c84 SHA-1: 4fe33e364b70bbddfb64b66ca4f3228590e8cbdf SHA-256: b83b5c335af90d63a70414ec5d62190971063ae1b4dc6bb7184bc7484a31ee71
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE object data, and critical heuristics indicate the presence of the CVE-2017-11882 vulnerability within the Equation Editor component. This vulnerability is known to allow for arbitrary code execution when the document is opened. The ".objupdate" directive further suggests that the embedded object is intended to be activated automatically.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00001df0.bin
3a90f0f9d60b500f8c55dc8d543e0af12d4ab857137e4b1d49afedff4761ccb4		 rtf-objdata-decoded RTF \objdata at offset 0x1DF0 4170 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.