MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF document contains heuristics indicating the exploitation of CVE-2017-11882 through an embedded Equation Editor object. This vulnerability allows for arbitrary code execution when the document is opened. The presence of OLE object data and the specific Equation Editor ProgID strongly suggest this attack vector.
Heuristics 6
-
Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITORRTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
-
Equation Editor activation — CVE-2017-11882 related high CVE_2017_11882_ACTIVATION_RELATEDRTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x0C bytes found
Disassembly
Attempted x86 opcode disassembly00000034 0c0c or al, 0xc 00000036 0c0c or al, 0xc 00000038 0c0c or al, 0xc 0000003A 0c0c or al, 0xc 0000003C 0c0c or al, 0xc 0000003E 0c0c or al, 0xc 00000040 0c0c or al, 0xc 00000042 0c0c or al, 0xc 00000044 0c0c or al, 0xc 00000046 0c0c or al, 0xc 00000048 0c0c or al, 0xc 0000004A 0c0c or al, 0xc 0000004C 0c0c or al, 0xc 0000004E 0c0c or al, 0xc 00000050 0c0c or al, 0xc 00000052 0c0c or al, 0xc 00000054 0c0c or al, 0xc 00000056 0c0c or al, 0xc 00000058 0c0c or al, 0xc 0000005A 0c0c or al, 0xc 0000005C 0c0c or al, 0xc 0000005E 0c0c or al, 0xc 00000060 0c0c or al, 0xc 00000062 0c0c or al, 0xc 00000064 0c0c or al, 0xc 00000066 0c0c or al, 0xc 00000068 0c0c or al, 0xc 0000006A 0c0c or al, 0xc 0000006C 0c0c or al, 0xc 0000006E 0c0c or al, 0xc 00000070 0c0c or al, 0xc 00000072 0c0c or al, 0xc 00000074 0c0c or al, 0xc 00000076 0c0c or al, 0xc 00000078 0c0c or al, 0xc 0000007A 0c0c or al, 0xc 0000007C 0c0c or al, 0xc 0000007E 0c0c or al, 0xc 00000080 0c0c or al, 0xc 00000082 0c0c or al, 0xc 00000084 0c0c or al, 0xc 00000086 0c0c or al, 0xc 00000088 0c0c or al, 0xc 0000008A 0c0c or al, 0xc 0000008C 0c0c or al, 0xc 0000008E 0c0c or al, 0xc 00000090 0c0c or al, 0xc 00000092 0c0c or al, 0xc
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00004f90.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4F90 | 2300 bytes |
SHA-256: c7ec3a942785e5ddd8f4ddd6a1790f94d0998978acdc9d1f9947fd919e77e0ed |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.