Malicious RTF — malware analysis report

Static analysis result for SHA-256 be22a0eabee9cdd3…

MALICIOUS

RTF

50.9 KB
MD5: 6f246d738ce7ef0e1547d39d4c85960b SHA-1: 4a09f2a6ac4187066c3b86bcb600eb4c528ebd5e SHA-256: be22a0eabee9cdd32aeac97e835f801fcab36ed62d288add5c4e6d0a2f7ad221
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that triggers the CVE-2017-11882 vulnerability in the Equation Editor. This vulnerability allows for arbitrary code execution, which is the primary attack vector observed. No further payloads or network indicators were extracted from this sample.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000109.bin
0207009bc46fa04343bcdd2549ebb6dfa9dc21f72ee290b6819ce7b35184f1e3		 rtf-objdata-decoded RTF \objdata at offset 0x109 3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.