MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects with excessive hex-encoded data, and the ".objupdate" directive forces OLE activation. Crucially, the heuristic firing for CVE-2017-8759 indicates exploitation of this vulnerability via MSXML SAX OLE activation. This suggests the file is designed to execute arbitrary code by leveraging this known vulnerability, likely as a downloader for further malicious activity.
Heuristics 7
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1035KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 12 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c18.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C18 | 33339 bytes |
SHA-256: 6152b7eb2a23f622579147cb3dae4065067ea33c0f8708a63d2eee1884c034f6 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00018b30.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18B30 | 33339 bytes |
SHA-256: 507e87ce570aa0e5dec55bd6f05b3a214326aa5626e04d4a0c59e19df09acd74 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002ea48.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2EA48 | 33339 bytes |
SHA-256: 44be6bc214f5b90e8d442e2a0e2eea5aa1ab6ba6c3f8359357c5458a4ac5f48a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00044960.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x44960 | 33339 bytes |
SHA-256: 8282f94c8939cf24dc936267572007ce22ddaac5b2fa4be2ef53352a04edfb30 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0005a878.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5A878 | 33339 bytes |
SHA-256: 4d84ddb99e6e2e602304d2dcf0832a7d8c72bcdb943c57b740e15a595f718053 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00070790.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x70790 | 33339 bytes |
SHA-256: 58d28f866f74e716cac740314faa2457bc2dfaf03593e1ed69d2476a32879cc6 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000866f2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x866F2 | 33339 bytes |
SHA-256: a22a11370d975a64bc62c6898e873054d57296b0da8e15f148508f9315353db0 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0009c60a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9C60A | 33339 bytes |
SHA-256: ebfce2c49fafa88b5f3230ca754215637b383cf4dde8f7d5548efeda67f18c61 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000b2522.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB2522 | 33339 bytes |
SHA-256: fd6632f70f2b4f4a615489f7391163afdf43ed7d57d30646c7ece0cbf4556082 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000c843a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC843A | 33339 bytes |
SHA-256: fc579b46a896305c462dc9b433d4937f44c10dfe45d1b00abc1d0a4188abc60f |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000de352.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDE352 | 33339 bytes |
SHA-256: 94359831ff2bfee571e57398dad78a022d21f262edaff9fb8491f515d526fa3d |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000f426a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF426A | 33339 bytes |
SHA-256: c932e82b6ad390e53ef440b07cf4ca1f02d6f5ce6754c72c25c8719000b9d81f |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.