MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d02.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D02 | 35899 bytes |
SHA-256: 74a14f62db79ab15e2bc4b04daaea05d0daf108e536d42eb48522429a3dd3c15 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001adf8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1ADF8 | 35899 bytes |
SHA-256: 2ffdf369e957e62ee46f6ed7c0afd388bb713a8716e8afdbea9d4e09648fa709 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031eee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31EEE | 35899 bytes |
SHA-256: 4e7075f929aa99fd0bafe2a2f2edc1d6e62254e9bcae162384d1bdc22ab434c3 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00048fe4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x48FE4 | 35899 bytes |
SHA-256: 8748ce7da70c95a03b76680b5eb488bdb5013666ec69f02fa425d0bb0b62af1e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000600da.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x600DA | 35899 bytes |
SHA-256: 94aa179f0fce2ed1f444736711c104f4628c97810cee10e71c359cef82494134 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00077fe0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77FE0 | 35899 bytes |
SHA-256: 1baa7f2fb7f14e205f9a680d4719216ecf99cbfd1e29e27ea8b5a9c4e4e09764 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008f0f4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F0F4 | 35899 bytes |
SHA-256: 7a32bd139d6b0fc5e3c11d193f16821a06445b0b31838c07220f262002da266a |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a620a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA620A | 35899 bytes |
SHA-256: ec7a5cfe03340348218117bceb3419d32bae6522722245784e2737ac91a2d7d8 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bd320.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBD320 | 35899 bytes |
SHA-256: ad51c680e137088cc1c6d452deb2062169ce0d0d1e5a5e801e06161e96dd91e3 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d4436.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD4436 | 35899 bytes |
SHA-256: 9c7eb1c6b1b1521eb9fd5a1dbc9186ac8dd8d4f8c9a0088b8dac16c6b5a098e2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.