Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 ed6d794532b1f4f9…

MALICIOUS

RTF / .DOC

18.5 KB First seen: 2022-05-16
MD5: 032d75b1e579ec37ab3f38aa987ae978 SHA-1: a97f733b33bdcb3eb2455a67adf9e8246798e533 SHA-256: ed6d794532b1f4f9925b78592e023965f34e8becb0f1eea0e78d630bfa1c9ce0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The critical heuristic firing for CVE-2017_11882 indicates that the RTF document is designed to exploit a vulnerability in the Equation Editor component. The presence of OLE object data and an \objupdate directive further supports the exploitation of embedded objects. The primary goal appears to be arbitrary code execution, likely for downloading and executing a second-stage payload, though no specific script or URL was extracted to confirm this.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000014f0.bin
4ba64b595bb38df61bea03925208b0d626a18f8f251b3f5c932525c3465d5616		 rtf-objdata-decoded RTF \objdata at offset 0x14F0 3754 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.