RTF malware analysis — malicious · f2cd93ecc3ce1f4c

MALICIOUS

RTF

8.1 KB First seen: 2020-05-14

MD5: f64871123ced98eb69189d5076b5a3ae SHA-1: b471496e0463c5e131dea4902fc872b740f2a2e8 SHA-256: f2cd93ecc3ce1f4c662966603eefc02e3b6061b4b87a0d300cab7067ae633a4a

240 Risk Score

Heuristics 5

Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0000003c.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3C	4136 bytes
SHA-256: `119862e984d82e5aee0a1b8d2069e99e64a589638d343003aef0514dd20f813c`

Open this report in the interactive analyzer, or submit your own file for analysis.