Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 1e1755485a01f637…

MALICIOUS

RTF

739.3 KB Created: 2018-07-13 13:11:00 First seen: 2019-01-25
MD5: f0661d4c7f46b2e90493cfc2688a6e25 SHA-1: d9129507ca226804530f2500bb6bec6435d40c28 SHA-256: 1e1755485a01f637ed3ab11f46606b123256219cc1bd223e2f194ec2d4eca861
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating ".objupdate" forces OLE activation and the presence of Composite Monikers. ClamAV signatures identify the embedded content as Xls.Malware.Sload-7135989-0, suggesting an exploit targeting spreadsheet functionality. The primary attack vector is likely spearphishing, with the embedded OLE object serving as the malicious payload.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c43.bin rtf-objdata-decoded RTF \objdata at offset 0x3C43 24635 bytes
SHA-256: 8d64210258960ba1f36192db9b7ee675a42c9ef8de11c20ebd4b83d95bb01b30
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off00015489.bin rtf-objdata-decoded RTF \objdata at offset 0x15489 24635 bytes
SHA-256: 4cb1d7dc287f2714a5fe55b5dd2e1cef4f405d929c204357bff335ebc04cdb87
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off00026ccf.bin rtf-objdata-decoded RTF \objdata at offset 0x26CCF 24635 bytes
SHA-256: 6106221be928d2ad78f95a983d8a8988167b9cd5b11b1763afe55ee1fe9926e7
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off00038515.bin rtf-objdata-decoded RTF \objdata at offset 0x38515 24635 bytes
SHA-256: 973099568e5d93391b8deb857c35453980bb717e539829614c3cdd84c4873a94
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off00049d5b.bin rtf-objdata-decoded RTF \objdata at offset 0x49D5B 24635 bytes
SHA-256: c590c953a3c922b8b73044f9309557e00333d69f76b3077846c2e12911636aef
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_05_off0005c3bd.bin rtf-objdata-decoded RTF \objdata at offset 0x5C3BD 24635 bytes
SHA-256: 21dbcdb0e18b729d814a9977817862c5fff8e8ad2313e424c87c199fd4040754
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_06_off0006dc22.bin rtf-objdata-decoded RTF \objdata at offset 0x6DC22 24635 bytes
SHA-256: 2ed9fdce72c6afe04d4fc89332743a95c8353c947fb061c62397d64d282ee366
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_07_off0007f489.bin rtf-objdata-decoded RTF \objdata at offset 0x7F489 24635 bytes
SHA-256: ccf19865a70e756fa283913595960d59f29ddf18c095033bc823d8958e6dfbb1
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_08_off00090cf0.bin rtf-objdata-decoded RTF \objdata at offset 0x90CF0 24635 bytes
SHA-256: e86dc040ed16ad6aa1e06219eb0c4bb794c91dac2d81539b9bf500136e4b9bf7
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_09_off000a2557.bin rtf-objdata-decoded RTF \objdata at offset 0xA2557 24635 bytes
SHA-256: 8df1489e15cb4adffe34fe44ddfbbd6950454676afbcfbfcbbac26da94a3ed2d
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely