equation editor exploit RTF malware analysis — malicious · ebdea0b1416e54c2

MALICIOUS

RTF

8.2 KB First seen: 2019-06-27

MD5: 8762876ff486b2d4653909466d1a2f48 SHA-1: 68b052c02c9cb69f55dea27b75cfb19a5103dfa5 SHA-256: ebdea0b1416e54c2a70bf584a673adfbfb688697375502b0ebb3080d1934fe55

180 Risk Score

Malware Insights

equation editor exploit · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains embedded OLE object data, specifically triggering critical heuristics for CVE-2017-11882 related to the Equation Editor. This indicates the file is designed to exploit this vulnerability for client-side code execution. The presence of \objupdate further suggests an attempt to force OLE activation. The SHA256 hash is provided as a primary IOC.

Heuristics 4

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00000033.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x33	4137 bytes
SHA-256: `6775a67290f97c27d21677c9b63a9db8e6d387dac9935b5b41cd9310eda97874`

Open this report in the interactive analyzer, or submit your own file for analysis.