MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains embedded OLE objects and triggers heuristics related to composite monikers and remote URL inclusion, specifically pointing to 'http://aliandqazi.com/Jobs/'. ClamAV detections confirm the presence of an exploit targeting CVE-2015-1641, indicating the file's malicious intent is to leverage this vulnerability for execution. The document body, while appearing to be about UN career opportunities, is a lure to disguise the malicious payload.
Heuristics 7
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Doc.Exploit.CVE_2015_1641-6397417-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.CVE_2015_1641-6397417-0
-
INCLUDETEXT/INCLUDEPICTURE remote URL high RTF_INCLUDE_REMOTERTF document uses INCLUDETEXT or INCLUDEPICTURE with an http:// URL — Word can fetch the remote content on open depending on Office version and external-content settings, enabling remote template injection, NTLM capture via redirects, or payload delivery
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.unsystem.org/ In RTF body
- http://www.unsystem.org/jobs/job_opportunities.htmIn RTF body
- http://www.unmis.org/English/recruitement.htmIn RTF body
- http://www.jposc.org/content/programme/presentation-en.htmlIn RTF body
- http://www.jposc.org/content/programme/other_programmes-en.htmlIn RTF body
- http://www.unvienna.org/unov/job/internship_general_info.htmlIn RTF body
- http://www.worldvolunteerweb.org/take-In RTF body
- http://www.jposc.org/content/programme/how_to_become_a_JPO-en.html#2In RTF body
- http://www.unsystem.org/jobs/job_opportunities.htm}{In RTF body
- http://www.jposc.orgIn RTF body
- http://www.jposcIn RTF body
- http://www.worldvolunteerweb.org/take-action/be-a-volunteer.htmlIn RTF body
- http://www.worldvolunteerweb.org/take-action/beIn RTF body
- http://www.jposc.org/content/programme/hIn RTF body
- http://www.unicefIn RTF body
- http://aliandqazi.com/Jobs/In RTF body
- http://www.un.org/aboutun/chart.htmlIn RTF body
- https://jobs.un.org/Galaxy/Release3/vacancy/vacancy.aspxIn RTF body
- https://jobs.un.org/Galaxy/Release3/VacancyFM/VA_Regions.aspx?lang=1200In RTF body
- http://www.reliefweb.int/rw/dbc.nsf/doc100?OpenFormIn RTF body
- http://www.un.org/Depts/OHRM/examin/exam.htmIn RTF body
- http://www.state.gov/g/prm/jpoae/In RTF body
- http://www.un.org/Depts/OHRM/sds/internsh/index.htmIn RTF body
- http://www.un.org/esa/socdev/unyin/internships.htmIn RTF body
- http://www.unog.ch/80256EDD006AC19C/(httpPages)/A422C95289E684DD80256EF300344EFD?OpenDocumentIn RTF body
- http://www.unv.org/In RTF body
- http://jobs.undp.org/In RTF body
- http://www.unhcr.org/admin/3ba1d4794.htmlIn RTF body
- http://www.unhcr.org/admin/3b8a31f94.htmlIn RTF body
- http://www.wfp.org/contact_wfp/vacancies/professionals.htmlIn RTF body
- http://www.wfp.org/contact_wfp/vacancies/interns.asp?section=8&sub_section=5In RTF body
- http://www.wfp.org/contact_wfp/vacancies/jpo.htmlIn RTF body
- http://www.unicef.org/about/employ/index_currentvacancies.htmlIn RTF body
- http://www.unicef.org/about/employ/index_jpp.htmlIn RTF body
- http://www.unicef.org/about/employ/index_ypp.htmlIn RTF body
- http://www.unicef.org/about/employ/index_internship.htmlIn RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
- https://jobs.un.org/GalaxIn RTF body
- http://www.state.gov/g/prm/jpoae/}{In RTF body
- http://www.unog.ch/80256EDD006In RTF body
- http://www.unv.org/about/undp.htmIn RTF body
- http://www.unhcr.org/admin/3ba1d4794.hIn RTF body
- http://www.unhcr.org/admin/ADMIN/3e365dd77.htmlIn RTF body
- http://www.unhcr.org/aIn RTF body
- http://www.wfp.org/contact_wfp/vacancies/professionalsIn RTF body
- http://i-recruitment.wfp.org/olcv/positions.jsp?pg=profile&user=extIn RTF body
- http://www.wfp.org/contact_wfp/vacancies/interns.aIn RTF body
- http://www.wfp.org/contact_wfp/vacancies/jpoIn RTF body
- http://www.unicef.org/about/employ/index_internsIn RTF body
- http://www.maxwell.syr.edu/In RTF body
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00019f2b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x19F2B | 45 bytes |
SHA-256: 083c2e8b44386e792363878581e7e6cc02382e07194162f33517c429dfbcec43 |
|||
objdata_01_off0001a900.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1A900 | 442417 bytes |
SHA-256: 27a4c87cfe9b259b1d5491db1302f6c770b772679735031c2cd55ab7bba93dd9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
|
|||
objdata_02_off000f519b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF519B | 15334 bytes |
SHA-256: 0477aa781fc8629f7d668efda3900c020370d3cdbb61d7f1878474a165729c2f |
|||
|
Detection
ClamAV:
Doc.Exploit.CVE_2015_1641-6397417-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.