RTF malware analysis — malicious · d5337efad25a7308

MALICIOUS

RTF

271.7 KB Created: 2021-02-12 04:30:00

MD5: 36812d0e1e066df844c895779b47501c SHA-1: 2152b387d44fba7f16fd27548c1a7e385e7b348b SHA-256: d5337efad25a7308b9542f4e4492680484e71e0ab7b4a2722dd0c249471e24fa

102 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains an embedded OLE object that exploits the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This exploit allows for the execution of arbitrary code, which is typically used to download and execute a second-stage payload. The document body content appears to be a lure related to Afghan refugees, but the primary malicious functionality stems from the Equation Editor exploit.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00001bc4.bin` `0109f29ba73d8a06ba5b0763ff15e485d8a02093d47d8d94baa960f825669f10`	rtf-objdata-decoded	RTF \objdata at offset 0x1BC4	3631 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.