MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects with excessive hex-encoded data, and the ".objupdate" directive forces OLE activation. Crucially, the heuristic firing for CVE-2017-8759 indicates exploitation of this vulnerability via MSXML SAX OLE activation. This suggests the file is designed to execute arbitrary code by leveraging this known vulnerability, likely as a downloader for further malicious activity.
Heuristics 7
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1002KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 14 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c4e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C4E | 28731 bytes |
SHA-256: f01cc2e139fa25cf5f74f7ee97189f2241cc70ee938e5a74a3d49e38f50b9604 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016c95.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16C95 | 28731 bytes |
SHA-256: d3f840710bf6d6f76d6b47a235779921b0dd1a7693eeaa86ce6482897576ba64 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002acdc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2ACDC | 28731 bytes |
SHA-256: c16ee150150ad239c06a4288e57716282543d0a19c181b6b206676a9c9beb441 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003ed23.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3ED23 | 28731 bytes |
SHA-256: 1dc70e611d1e98fb25bb0cc10c3ae8493618d64d16dd5385459fee8b374808dd |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00052d6a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52D6A | 28731 bytes |
SHA-256: 0f0ede80aae0112a53cb858a4f04784e6e30aada8ea3da0ff32583d469b4ddc5 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00066db1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x66DB1 | 28731 bytes |
SHA-256: 17be4cd064da00cbf100a39e88d5e6ddb560a122e498272d32b2ccc1c825916e |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007adf8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7ADF8 | 28731 bytes |
SHA-256: b3b55606f8a4aa5f9a819e55ae710751c2122faace9137464d2772d0dc93765c |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008ee8b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8EE8B | 28731 bytes |
SHA-256: f8891bbdea62880610da6af571873128195fc59d3d2dcd18c6d5bc6d20844676 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000a2ed2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA2ED2 | 28731 bytes |
SHA-256: b5655ac132959c74198ccf69f241c1756c85572050029a3dc0a9600a668021eb |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b6f19.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB6F19 | 28731 bytes |
SHA-256: 414dab992dbbe22b5d1e8f25d03b773f148dd79a66bb92aea6d97ee0a9171d73 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000caf60.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xCAF60 | 28731 bytes |
SHA-256: 695b2d7ee04482205ef1c305f372fa5fc4cb52c27598c8573994de3b47857087 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000defa7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xDEFA7 | 28731 bytes |
SHA-256: 50f5674ec1b47529ea25444464d3477a3fd60e765caba64c58d086ad244fb367 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_12_off000f2fee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF2FEE | 28731 bytes |
SHA-256: 8a2ac53c63c8fee3688770202ff2e93f819922e43e1fc85f11a4c33114490293 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off00107035.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x107035 | 28731 bytes |
SHA-256: 6df54ba0bf2954652422421428ca334f786034e0df55b02a93c3028c076820dd |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.