MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and utilizes \objupdate to force their activation. The critical heuristic firing for CVE-2017-8759 indicates exploitation of MSXML SAX OLE activation, a known vulnerability used to execute arbitrary code. ClamAV detections further confirm the malicious nature, identifying it as a dropper. The embedded URL is likely part of the exploit chain.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 12 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.mi In RTF body
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cbe.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CBE | 28219 bytes |
SHA-256: 1467abf50281a5fa1a65e304ba0e04248b000ae86fbb658774037fc191f5b3fd |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000168fd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x168FD | 28219 bytes |
SHA-256: 29da569e8d94b5062df4e56c39698dfda4390ff327f9c6f027886a6b6ebaca99 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002a53c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A53C | 28219 bytes |
SHA-256: 94d0179b64b7258ceb1c6fc4b40da73eee15b902dad57aa703c3ec25db65a8f9 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003e17b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3E17B | 28219 bytes |
SHA-256: 15ee9ff4463a93fb94220b3acc54bba61250dc8d14613f4c1a21547cd438bf45 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00051e06.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x51E06 | 28219 bytes |
SHA-256: e5f8db93cce83933751bffd3004b73c4d94bf1c4a5c4fb324c94f00fb991f24c |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00065a45.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x65A45 | 28219 bytes |
SHA-256: 4d01e4a7365693f8a25d8ed6403daa03c5bbc7e0a8d8f1ce06b242749e54911f |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00079684.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x79684 | 28219 bytes |
SHA-256: 35b8ad545870a6ec12290d1739b55bba2c5509bac04d9fcbf9146a5c47860ac7 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008d2c3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8D2C3 | 28219 bytes |
SHA-256: 63b7b5d7b4d9e4076ce724e914812f1f0cc7a3173b94222b10d395f19bf7bd86 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000a0f4e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA0F4E | 28219 bytes |
SHA-256: 3c575b9ec1524984ef38271fb02e9ff967eb3465b1fe9dca00a75b3d7942f0bf |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b4b8d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB4B8D | 28219 bytes |
SHA-256: b1bf112d20c37dbe335cc2e946c9d13b4fb3906380b921db40762fc3f0c5a11e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000c87cc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC87CC | 28219 bytes |
SHA-256: 500649a32f54df474b2eb6a0cf2ca0edc5ed00b38eeb89640362c9e63d78b88b |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000dc40b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDC40B | 28219 bytes |
SHA-256: 6cb40f442b2039d3e2f2a23f6dfbcd034a038fff36252e7dcce897c3789efa73 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.