Malicious RTF — malware analysis report

Static analysis result for SHA-256 dacb0ebb51a13d01…

MALICIOUS

RTF

8.2 KB First seen: 2018-11-13
MD5: 4a4836a276df0f1b57b74a5be0d6f43b SHA-1: 6e52f23bafe587c854dbf666141b41175fe507f4 SHA-256: dacb0ebb51a13d0154b6397c62bc074ed549c2260cac37ea425d3fcc875d762e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document that contains embedded OLE object data. Heuristics indicate the presence of an Equation Editor exploit, specifically CVE-2017-11882, which is a critical vulnerability. This exploit allows for arbitrary code execution on the victim's machine.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000003b.bin rtf-objdata-decoded RTF \objdata at offset 0x3B 4146 bytes
SHA-256: 5b0673fb78d9badf5d75bd3d32be1b1c1bd55e92bee97bda956b6e02bd7bde0a