MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and uses \objupdate to force their activation. The critical heuristic firing for CVE-2017-8759 indicates exploitation of MSXML SAX OLE activation, a known vulnerability used to download and execute arbitrary code. The embedded URL, though incomplete, likely points to a malicious resource. The file's purpose is to exploit this vulnerability to achieve initial execution.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.mi In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cce.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CCE | 26683 bytes |
SHA-256: f20a0daf93401980fcb2b17887e6257fd7f0186abe66b017a09b4b997c2571a1 |
|||
objdata_01_off00015810.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15810 | 26683 bytes |
SHA-256: 12680f9377602487db255022650e6b7d7fa7d808728cdbeb99af19ea25784c05 |
|||
objdata_02_off00028352.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28352 | 26683 bytes |
SHA-256: ebe8d1c2417c9809b817a970c42289091e387cf619ad6a36e036aa579a306712 |
|||
objdata_03_off0003ae8d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3AE8D | 26683 bytes |
SHA-256: 74b3c3973b184eff435d3a688988578ac08f7badc02b7cea5269ef9287d1ba6c |
|||
objdata_04_off0004d9cf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4D9CF | 26683 bytes |
SHA-256: 714988ae3df08e6849c0b3e6ca8feafc215dc02183b441e66003823a5a3df7b5 |
|||
objdata_05_off00067a2a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x67A2A | 26683 bytes |
SHA-256: 311402d928aa25b0aba6bf39c3764c461240202708f84c249929079c1a1b0c52 |
|||
objdata_06_off0007a56c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7A56C | 26683 bytes |
SHA-256: 697904828926799aa9f76bcd2eaaa31d7411d921c63d32cf6ae005d994bbe10a |
|||
objdata_07_off0008d0ae.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8D0AE | 26683 bytes |
SHA-256: 47b0684e664818ad57530b721c00275f8ee1ccdb254e113963951fc4937f600a |
|||
objdata_08_off0009fbe9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9FBE9 | 26683 bytes |
SHA-256: e1e6b2cae69ba3aa90f561727baebf1cc0115fb4dd1206bf018edae6757d71bc |
|||
objdata_09_off000b272b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB272B | 26683 bytes |
SHA-256: f69f9f79c37ed8ad31d144da005be8f361b71be76b3c49709d015d8704ea98a6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.