Malicious RTF — malware analysis report

Static analysis result for SHA-256 d2edb631e79218e1…

MALICIOUS

RTF

52.3 KB First seen: 2019-03-10
MD5: 61770ced35b6b9b2b06bf3a8a605a7d8 SHA-1: bc534bf083174abcf7c6a348e6fa06a2192ad757 SHA-256: d2edb631e79218e1d52983a54928debfd275ad53b316bdd61425a811d948b16a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data and triggers heuristics indicating the exploitation of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution when the document is opened. The ClamAV detection further confirms the malicious nature of the file, specifically identifying it as an exploit targeting this CVE.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003b.bin rtf-objdata-decoded RTF \objdata at offset 0x3B 4156 bytes
SHA-256: ec1d508836811bab6b5228732e209998840ad1a906d9b4798e2fb672a19942b3