Malicious RTF — malware analysis report

Static analysis result for SHA-256 d8923a334a8fce85…

MALICIOUS

RTF

40.1 KB First seen: 2019-02-20
MD5: b63a761882051082423819dd4877b8b8 SHA-1: 21c4bca8ae0dc0fa1376797562ec274b6663b7e6 SHA-256: d8923a334a8fce856698a9b7e7c2f2bf0323c3b8f97e15a98cc26a0ad113c8d9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF file contains OLE object data and triggers an objupdate event, indicating an attempt to activate embedded objects. ClamAV explicitly identifies this file as exploiting CVE-2017-11882, a known vulnerability in the Equation Editor component of Microsoft Office. This exploit allows for arbitrary code execution on the victim's machine.

Heuristics 3

  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003b.bin rtf-objdata-decoded RTF \objdata at offset 0x3B 4136 bytes
SHA-256: a680f384abcc5c5c3d62606cf8324eba2d2455aabfb96a397d4f13e6deaa7d63

Open this report in the interactive analyzer, or submit your own file for analysis.