Malicious RTF — malware analysis report

Static analysis result for SHA-256 d70f66cb2bf3d285…

MALICIOUS

RTF

52.2 KB First seen: 2019-01-12
MD5: 398a6f5d4977ccc14ff29df56315659c SHA-1: 774f2845496922d0e7bdc030c7ba3fa6934c845c SHA-256: d70f66cb2bf3d2858322503dcd0d2cf12a0541a0079e7ea56a893cc4684f0a07
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical ClamAV heuristic explicitly identifies the file as Doc.Exploit.CVE_2017_11882-6934206-0, indicating exploitation of the Equation Editor vulnerability. The presence of OLE object data and the ".objupdate" directive further support this finding, suggesting the RTF document is designed to trigger the exploit upon opening.

Heuristics 3

  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C 4157 bytes
SHA-256: b4c95bb739addceb75ff31c1e85a7308402053071d0ed7055409a61b8dbdb492

Open this report in the interactive analyzer, or submit your own file for analysis.