MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF document contains an embedded OLE object that leverages CVE-2017-0199 to fetch a payload from the specified URL. This exploit is commonly used to deliver secondary malware. The presence of the OLE object and the specific CVE firing strongly indicate an exploitation attempt.
Heuristics 5
-
CVE-2017-0199 (OLE2Link / remote URL Moniker) critical CVE likely CVE_2017_0199RTF contains a URL Moniker OLE link whose decoded target is remote. Office can fetch and process the response through the CVE-2017-0199 OLE2Link attack path, but the server-side content type is not proven statically.
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://206.189.94.161:8080// In RTF body
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000fa.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xFA | 2724 bytes |
SHA-256: e26c77257faffd2e548010ae75f1167a0fff4dd20fe2f9144c41971f6011f077 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.