Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 bfd904bca6651f85…

MALICIOUS

RTF / .DOC

133.4 KB
MD5: c7b96591a6e4dea501b8ab1eb546682f SHA-1: 7bbdf38ec3d54d9220d3523a551bb5e59fd3664a SHA-256: bfd904bca6651f85d90eda740da722d60d6b28e24e1f4ea859d5f021c4a9b4fe
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The file is identified as malicious due to critical heuristic firings indicating the exploitation of CVE-2017-11882 via the Equation Editor. The presence of OLE object data and the ".objupdate" directive further support this. The ClamAV signature directly names the exploit, confirming the attack vector. No scripts were extracted, but the exploit itself is sufficient to achieve code execution.

Heuristics 7

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000043.bin
bd055573db498aacde360f84b8bbd204fd9daec0f52391b5b37f8b9e1205dabb		 rtf-objdata-decoded RTF \objdata at offset 0x43 68162 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.