Malicious RTF — malware analysis report

Static analysis result for SHA-256 bd1e7b42a9c26526…

MALICIOUS

RTF

440.1 KB Created: 2018-01-17 09:09:00 Authoring application: Microsoft Word 11.0.5604 First seen: 2020-06-01
MD5: 07544892999b91ae2c9280d8ee3c663a SHA-1: 28531bcfaad25a5b1230f60f243ce617b6c237d2 SHA-256: bd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52
320 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an RTF document that exploits CVE-2017-11882 via the Equation Editor component. This vulnerability allows for arbitrary code execution, which is a critical finding. The presence of OLE objects and extracted binary artifacts further supports the exploitation of this vulnerability. The document body discusses climate change projects in Vietnam, which appears to be a lure to disguise the malicious intent.

Heuristics 8

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • ClamAV: Rtf.Exploit.CVE_2018_0802-6624871-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6624871-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00010980.bin rtf-objdata-decoded RTF \objdata at offset 0x10980 182000 bytes
SHA-256: bf94954a4dbfa824696538b343eca54fcf7073cc63855b21cbf0fcc5d490492e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objdata_01_off000697b0.bin rtf-objdata-decoded RTF \objdata at offset 0x697B0 9259 bytes
SHA-256: fc77889c4d6682c34d7804173535b01aa023e3e2f0f13a8537b00f90a90c23de
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_GETPC_CALL, SC_STR_VIRTUALPROTECT Static shellcode analysis recovered API/import strings: VirtualAlloc, VirtualAllocEx, VirtualProtect, VirtualProtectEx, WriteProcessMemory, ReadProcessMemory