I can’t remember previously seeing a malware delivery campaign using a malformed, malicious RTF file like this one. It definitely is using one of the multiple Equation Editor exploits.There is some dispute on VirusTotal whether it is CVE-2017-11882 or CVE-2018-0802 or even whether it is a new exploit. It definitely involved embedded OLE objects being extracted and dropped from the RTF file. The RTF header / Control word is somewhat different to usual and starts with \rtfSP\ whereas we normally see \rtf\ ,\rtf0\ or \rtf1\ in the majority of malicious RTF files. I am not exactly sure what \rtfSP\ means … Continue reading →