Malicious RTF — malware analysis report

Static analysis result for SHA-256 e0c196fe43f787df…

MALICIOUS

RTF

123.2 KB First seen: 2019-01-11
MD5: 7f4cdb172d2411aa27d36d2a31de37b5 SHA-1: 40790302b4312e3aafccb7e0d620656492ffedd6 SHA-256: e0c196fe43f787dfbf10cda471555bf613880e2b732d56674691b8bdb69d18c1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an RTF document identified by ClamAV as Doc.Exploit.CVE_2017_11882-6934206-0, indicating exploitation of the Equation Editor vulnerability. Heuristics confirm the presence of OLE object data and automatic linking, which are typical for this exploit. The exploit likely facilitates the execution of a secondary payload, although the specific nature of that payload cannot be determined from the provided evidence.

Heuristics 4

  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000019be.bin rtf-objdata-decoded RTF \objdata at offset 0x19BE 4981 bytes
SHA-256: 80bc2c0f77623bf3a52add56d7c7cc671c5fcfe08e81215fde2fa27588802081

Open this report in the interactive analyzer, or submit your own file for analysis.