Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 e3b5cf3c05d82463…

MALICIOUS

RTF / .DOC

47.7 KB
MD5: dbed49ea88e083f14161e9dfd06e45fa SHA-1: 5275f56f321aaad802cc613842939255cae49024 SHA-256: e3b5cf3c05d824634d2748fac40216275e7f9f47c94dfa4dfa89f976841698bd
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an RTF document that contains OLE object data, specifically triggering the CVE-2017-11882 vulnerability. This vulnerability is known to be exploited by attackers to execute arbitrary code by embedding a specially crafted Equation Editor object within documents. The presence of RTF_OBJDATA, RTF_OBJAUTLINK, RTF_EQUATION_EDITOR, and CVE_2017_11882 heuristics strongly indicates exploitation of this known vulnerability. The document body is truncated and does not provide further context on the lure, but the exploit itself is the primary indicator of malicious intent.

Heuristics 5

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor CLSID critical RTF_EQUATION_EDITOR
    Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
  • Automatically linked OLE object high RTF_OBJAUTLINK
    RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000180d.bin
ce1fd7a2ad24ca5da50705cee3870a030a15dc07f8ff1e7221b69cc3a78602b1		 rtf-objdata-decoded RTF \objdata at offset 0x180D 4171 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.