Malicious RTF — malware analysis report

Static analysis result for SHA-256 d63cb2f3ea310702…

MALICIOUS

RTF

161.0 KB
MD5: 1bc189a6064eef6085a34f2db3d9ffb4 SHA-1: 474a25a1e4a60fb8089574be6c7e6e2de66c9af9 SHA-256: d63cb2f3ea3107025bbff5dd7eeb6f6ba9e291433875b30ddb2a0c0093e81095
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains an embedded OLE object that triggers the CVE-2017-11882 Equation Editor vulnerability. This vulnerability allows for arbitrary code execution, indicating the file is designed to exploit this known flaw for malicious purposes. No further stages or specific family indicators were identified.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002381.bin
ae8cd48a4780f6fd499cdb495a5c72cb7ee4ad2d7d91ff294d8dbcb97b0db80e		 rtf-objdata-decoded RTF \objdata at offset 0x2381 28445 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.