Malicious RTF — malware analysis report

Static analysis result for SHA-256 f6a89f144b837496…

MALICIOUS

RTF

155.6 KB
MD5: b260a632664203cf29d1e046e6154abc SHA-1: 26681db10b1b972df8066b070a7d442c34afd790 SHA-256: f6a89f144b837496e1a22e4d0408dd345404bf33e67a4c05c5fbc70a86c25231
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The RTF document contains an embedded OLE object that triggers the CVE-2017-11882 vulnerability in Microsoft Equation Editor. This vulnerability allows for the execution of arbitrary code, likely to download and run a secondary payload.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002396.bin
bc0a7275121c86429a3ba0dfedd266d3669aa9859382515cf0fff12ebcfb8e64		 rtf-objdata-decoded RTF \objdata at offset 0x2396 28445 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.