MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d57.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D57 | 35899 bytes |
SHA-256: e307a4bebf8001cdb61418451c697964bfbdbb6a5b2a1dbc2783bad2591e8602 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001ae8f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AE8F | 35899 bytes |
SHA-256: 20173b5dc917e8248c54cd697778ce5a2ba01b28a5d151708e9e7ab716dcbd4f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031fc7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31FC7 | 35899 bytes |
SHA-256: 62acf950365b07a3855be1e31ca9e2dc2ecd5ddd19c0f24118afe6a47830dc13 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000490ff.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x490FF | 35899 bytes |
SHA-256: c70fdbaee6f1f54ae7ebfcdbf097d0cca81acf38b7a1d28a0e0827db487fb24d |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00060237.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x60237 | 35899 bytes |
SHA-256: 49f35d312cacfb4999f7bb21537b17852232d8dad0b284dc0436daa2e1354e17 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0007c183.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7C183 | 35899 bytes |
SHA-256: cc2ee908d329ae0874e23951f123f60c124cb00bbcbdbf392522b0e8923f16d8 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off000931d4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x931D4 | 35899 bytes |
SHA-256: fa8aea29ac65fe4b1fb0709dfa46dab5bbc74cdb63f7c9d57e01f9f9d7e9d704 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000aa32c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAA32C | 35899 bytes |
SHA-256: a7a8d9175c5afd7de8dc51a126654791e3cb7c5b1e1b344afd91ad8ce1e97341 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000c1484.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC1484 | 35899 bytes |
SHA-256: f8d5c292fd68f8661b78fa3c690f4fc2d58d1a1adf1a4e4f98bbe87216541f6b |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d85dc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD85DC | 35899 bytes |
SHA-256: 872faeac9fd8fa97e57c181eaf8dfed7d0d5d0f5ad4a243c03f8fdc04d7e6584 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.