Malicious RTF — malware analysis report

Static analysis result for SHA-256 ee8ebaf9b33326b4…

MALICIOUS

RTF

261.1 KB Created: 2018-07-03 09:28:00
MD5: 4ec96fda4647d8e19ef7d8b978fa5308 SHA-1: cc2a91f58924c0611a3123ebd5ce2ea065a2541e SHA-256: ee8ebaf9b33326b404b25f0d728db54e33209c382b0d5aaab3f26930801d3f7b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model and Distributed Component Object Model

The critical ClamAV heuristic directly identifies the file as exploiting CVE-2017-11882. The RTF structure contains an embedded OLE object with objdata, and the ".objupdate" heuristic indicates that this object is designed to be activated, likely leading to arbitrary code execution. The benign URL appears to be a distraction or misdirection within the RTF structure.

Heuristics 4

  • ClamAV: Doc.Exploit.Cve_2017_11882-7570663-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.Cve_2017_11882-7570663-1
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off0000bf6b.bin
22e81da9d15f4df7bef3de98a5c601ed35e0bd97c7c598bc80cc27b4fcea2288		 rtf-objdata-decoded RTF \objdata at offset 0xBF6B 15672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.