Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 c342f81da05b8da1…

MALICIOUS

RTF / .DOC

212.6 KB
MD5: 37ef290042de67ceede2ee41796fd288 SHA-1: 971ceccb966ae96811653501262562b2feb8d37f SHA-256: c342f81da05b8da1b9f40413ce605e06e02590ef4d2edfd1cafa8a464bd46a59
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains embedded OLE object data, specifically triggering the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This exploit allows for arbitrary code execution upon opening the document. The presence of ".objupdate" further indicates that the embedded object is intended to be activated automatically. The primary attack vector is likely a spearphishing attachment.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000f72.bin
acdd1c1876da8f06bb196a63542554054e470be8d87fce78cf9c4060cd962483		 rtf-objdata-decoded RTF \objdata at offset 0xF72 3664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.