RTF malware analysis — malicious · fee353c1f1b2aac0

MALICIOUS

RTF

8.6 KB

MD5: 6ada8d7a242fce84a44a3d5055454964 SHA-1: 88336f296504263d39639b3220f37fa630e9d287 SHA-256: fee353c1f1b2aac0584d1750d97758959aa0433819f99451ae1d08fc771e9f28

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an RTF document containing embedded OLE object data, specifically triggering heuristics related to Equation Editor and OLE activation. ClamAV identifies this as Rtf.Exploit.CVE_2018_0802-6825822-0, indicating a likely exploit of CVE-2018-0802. This vulnerability allows for arbitrary code execution when the embedded OLE object is activated, typically through user interaction with the document.

Heuristics 5

Ole10Native stream in RTF OLE object high CVE related RTF_OLE10NATIVE_STREAM

RTF contains an embedded OLE object with an Ole10Native stream. This is a strong payload-container signal and is related to Word/OLE exploit delivery, but it is not specific enough on its own to assign a CVE.
Equation Editor CLSID critical RTF_EQUATION_EDITOR

Equation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
ClamAV: Rtf.Exploit.CVE_2018_0802-6825822-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Rtf.Exploit.CVE_2018_0802-6825822-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
OLE object data medium RTF_OBJDATA

RTF contains 2 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000000a2.bin` `2fc3e9e5bd08c5d1007e8530aaa6375d44ce93cf2fd24fab736b3138deb2f67b`	rtf-objdata-decoded	RTF \objdata at offset 0xA2	4163 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.