RTF malware analysis — malicious · e4acb36fb68cfcaf

MALICIOUS

RTF

56.0 KB First seen: 2023-08-24

MD5: 89c1a747633c6879f7e633457d14b78a SHA-1: 7c78265b0650dca3b734749b990d3d220ef1f6ff SHA-256: e4acb36fb68cfcaf788ee4ffb0573403cec1d9ef97cd88c122d06b1e5472e176

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.005 Visual Basic

The sample is an RTF document that contains an embedded OLE object, triggering heuristics for CVE-2017-11882 exploitation. The document body contains a lure instructing the user to 'Enable editing', which is a common tactic to bypass security measures. The exploitation of CVE-2017-11882 is a critical finding, indicating the file attempts to execute arbitrary code.

Heuristics 4

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002822.bin` `4361d37502a60f61a17634f43bd9ac28c6df730f20a7d7d77e81dd4388cd592d`	rtf-objdata-decoded	RTF \objdata at offset 0x2822	3643 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.