MALICIOUS
282
Risk Score
Heuristics 7
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1001KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 15 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003cb6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3CB6 | 35899 bytes |
SHA-256: 0c3a0c0604a83a929695d12f3bd3b60a0ba98ce3ba2df3b803ba79509dfffeaa |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001abd4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1ABD4 | 35899 bytes |
SHA-256: aeda1846d61e655e0fb18ec5598be2aec90e1ba7f256c1b2404888543d575f8a |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0005f92e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5F92E | 35899 bytes |
SHA-256: 75eb3af4911a4d03fea068e3f45c9f97ac73d92e1bf2eedffa10412f959fcd4e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00077687.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77687 | 35899 bytes |
SHA-256: 2b0fdf59429672860d9129b9d1e0b710e08843345f3bf07428bee314063dd60a |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008e4fd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8E4FD | 35899 bytes |
SHA-256: 87adf6b625aa17299b0b6dddbe7526c823b415685e52f561946e00cf3376945b |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a5479.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA5479 | 35899 bytes |
SHA-256: 47cb382e0be54dc11f5589849834e1ef1c0328551063a812d565f63f01c766ae |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bc3f5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBC3F5 | 35899 bytes |
SHA-256: 9b22544f4b830790418f8e51af71925858fe3ecba8a7b8274884f2f915941082 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d3371.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD3371 | 35899 bytes |
SHA-256: 29cf4e597c7b8e436670a5a46a6a197b8ea050f1a4ab90b15df20a3647f6ace4 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000ea2f3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEA2F3 | 35899 bytes |
SHA-256: 6a00eb25ff88abd7c6b34aff4c935fe6ede5292722332870ed4be30cf754dd7a |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off0010126f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10126F | 35899 bytes |
SHA-256: 0d5b7cfb1c46cac14b42aa20bb0a0c05b04641376a00a7af4b36694ccea9145c |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_12_off001181eb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1181EB | 35899 bytes |
SHA-256: d902f30c21dbe8cb7ca5a4804d470987da2ca0c58847911ea6461aff20ebb06f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off0012f167.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12F167 | 35899 bytes |
SHA-256: 51d7561f1eae4d98ce0873893fa2c22e5b166d335313543ddd351cfce1e2de86 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_14_off001460e3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1460E3 | 35899 bytes |
SHA-256: 0d41d6d5ef1a67d1cfbf783c64481479817ea5ac09117529280bf365f6ec6f63 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.