RTF malware analysis — malicious · bc4063c3f3c5bb4f

MALICIOUS

RTF

277.0 KB Authoring application: Riched20 6.3.9600 First seen: 2021-06-17

MD5: 1401ad828ea63ccc1758a85d80947599 SHA-1: 1139b31036443ec89e38d05c5985fee51b4af7c0 SHA-256: bc4063c3f3c5bb4fbacbe353a8e6343675e7842e12a31e59dcaeeac62af960a9

240 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE objects, specifically identified as Microsoft Equation Editor. Heuristics indicate that \objupdate forces OLE activation, and the object class is Equation Editor, strongly suggesting exploitation of CVE-2018-0802. This vulnerability allows for arbitrary code execution when the document is opened, likely as a spearphishing attachment.

Heuristics 6

ClamAV: Rtf.Exploit.CVE_2018_0802-6624871-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6624871-1
Equation Editor object class critical RTF_OBJCLASS_EQUATION

Object class 'equation.3' references Equation Editor
Equation Editor ProgID + OLE object high RTF_EQUATION_EDITOR

RTF references Equation.3 ProgID alongside \objdata — likely Equation Editor (CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798) but without the binary CLSID payload, so flagged at HIGH instead of CRITICAL.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object

Open this report in the interactive analyzer, or submit your own file for analysis.