MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains critical heuristics indicating the exploitation of CVE-2017-11882 via the Equation Editor OLE object. This vulnerability allows for arbitrary code execution when the document is opened. The presence of OLE object data and specific CLSIDs strongly suggests this exploit vector.
Heuristics 8
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
Equation Editor Ole10Native payload — CVE-2017-11882 likely critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVERTF decodes to an activated Microsoft Equation 3.0 OLE storage whose payload is a high-entropy Ole10Native stream rather than normal Equation Native/MTEF data. This is a weaponized Equation Editor RCE delivery shape consistent with CVE-2017-11882/CVE-2018-0802.
-
Ole10Native stream in RTF OLE object high RTF_OLE10NATIVE_STREAMRTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
-
ClamAV: Rtf.Exploit.CVE_2017_11882-6584355-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_11882-6584355-1
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x04 bytes found
Disassembly
Attempted x86 opcode disassembly00000038 0404 add al, 4 0000003A 0404 add al, 4 0000003C 0404 add al, 4 0000003E 0404 add al, 4 00000040 0404 add al, 4 00000042 0404 add al, 4 00000044 0404 add al, 4 00000046 0404 add al, 4 00000048 0404 add al, 4 0000004A 0404 add al, 4 0000004C 0404 add al, 4 0000004E 0404 add al, 4 00000050 0404 add al, 4 00000052 0404 add al, 4 00000054 0404 add al, 4 00000056 0404 add al, 4 00000058 0404 add al, 4 0000005A 0404 add al, 4 0000005C 0404 add al, 4 0000005E 0404 add al, 4 00000060 0404 add al, 4 00000062 0404 add al, 4 00000064 0404 add al, 4 00000066 0404 add al, 4 00000068 0404 add al, 4 0000006A 0404 add al, 4 0000006C 0404 add al, 4 0000006E 0404 add al, 4 00000070 0404 add al, 4 00000072 0404 add al, 4 00000074 0404 add al, 4 00000076 0404 add al, 4 00000078 0404 add al, 4 0000007A 0404 add al, 4 0000007C 0404 add al, 4 0000007E 0404 add al, 4 00000080 0404 add al, 4 00000082 0404 add al, 4 00000084 0404 add al, 4 00000086 0404 add al, 4 00000088 0404 add al, 4 0000008A 0404 add al, 4 0000008C 0404 add al, 4 0000008E 0404 add al, 4 00000090 0404 add al, 4 00000092 0404 add al, 4 00000094 0404 add al, 4 00000096 0404 add al, 4
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000045e1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x45E1 | 42064 bytes |
SHA-256: 4cf55555f022b280547c22c883e13391aca7ac2fb810f0992b836de20044b8f7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.