MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains embedded OLE object data, specifically triggering critical heuristics for RTF_EQUATION_EDITOR and CVE_2017_11882. This indicates the file is designed to exploit a vulnerability in the Equation Editor component of Microsoft Office. The exploit likely leads to arbitrary code execution on the victim's machine, commonly delivered via spearphishing attachments.
Heuristics 6
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x07 bytes found
Disassembly
Attempted x86 opcode disassembly0000002B 07 pop es 0000002C 07 pop es 0000002D 07 pop es 0000002E 07 pop es 0000002F 07 pop es 00000030 07 pop es 00000031 07 pop es 00000032 07 pop es 00000033 07 pop es 00000034 07 pop es 00000035 07 pop es 00000036 07 pop es 00000037 07 pop es 00000038 07 pop es 00000039 07 pop es 0000003A 07 pop es 0000003B 07 pop es 0000003C 07 pop es 0000003D 07 pop es 0000003E 07 pop es 0000003F 07 pop es 00000040 07 pop es 00000041 07 pop es 00000042 07 pop es 00000043 07 pop es 00000044 07 pop es 00000045 07 pop es 00000046 07 pop es 00000047 07 pop es 00000048 07 pop es 00000049 07 pop es 0000004A 07 pop es 0000004B 07 pop es 0000004C 07 pop es 0000004D 07 pop es 0000004E 07 pop es 0000004F 07 pop es 00000050 07 pop es 00000051 07 pop es 00000052 07 pop es 00000053 07 pop es 00000054 07 pop es 00000055 07 pop es 00000056 07 pop es 00000057 07 pop es 00000058 07 pop es 00000059 07 pop es 0000005A 07 pop es 0000005B 07 pop es 0000005C 07 pop es 0000005D 07 pop es 0000005E 07 pop es 0000005F 07 pop es 00000060 07 pop es 00000061 07 pop es 00000062 07 pop es 00000063 07 pop es 00000064 07 pop es 00000065 07 pop es 00000066 07 pop es 00000067 07 pop es 00000068 07 pop es 00000069 07 pop es 0000006A 07 pop es 0000006B 07 pop es 0000006C 07 pop es 0000006D 07 pop es 0000006E 07 pop es 0000006F 07 pop es 00000070 07 pop es 00000071 07 pop es 00000072 07 pop es 00000073 07 pop es 00000074 07 pop es 00000075 07 pop es 00000076 07 pop es 00000077 07 pop es 00000078 07 pop es 00000079 07 pop es 0000007A 07 pop es 0000007B 07 pop es 0000007C 07 pop es 0000007D 07 pop es 0000007E 07 pop es 0000007F 07 pop es 00000080 07 pop es 00000081 07 pop es 00000082 07 pop es 00000083 07 pop es 00000084 07 pop es 00000085 07 pop es 00000086 07 pop es 00000087 07 pop es 00000088 07 pop es 00000089 07 pop es 0000008A 07 pop es
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000db5d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDB5D | 4190 bytes |
SHA-256: 156a78fb400427074a37345aaf8fa2eb5f1c541420f5e242801458652a6e22e4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.