MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects with excessive hex-encoded data, and the ".objupdate" directive forces OLE activation. Crucially, the heuristic firing for CVE-2017-8759 indicates exploitation of this vulnerability via MSXML SAX OLE activation. This suggests the file is designed to execute arbitrary code by leveraging this known vulnerability, likely as a downloader for further malicious activity.
Heuristics 7
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~2671KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002dfd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2DFD | 21569 bytes |
SHA-256: a8676c462a2640612207482836a07726038aa99ffb33f31884832b8abe177a48 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00013036.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x13036 | 21569 bytes |
SHA-256: 3b0f791de82782beb769ccd8d3ee2013e24c29e802c2a3e909d4ed7319913121 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00023271.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x23271 | 21569 bytes |
SHA-256: fd6461bd060b16b5cca02e0072814a5a4bfd9c59ef9ea9456726acfce9d279d3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off000334ac.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x334AC | 21569 bytes |
SHA-256: 2ec2b8bcc95ad9a0836a00619415ad7a4f6286f1eb836b4ae6b534ff2168c069 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000436e7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x436E7 | 21569 bytes |
SHA-256: 6725326aa9f804b9f1dee7849860645f937338289686e83efdc8d9e9d3b029f9 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00053922.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x53922 | 21569 bytes |
SHA-256: 593925a4e9759abc71fe5c9bca217e57e1c851d37eec3811553dbc382e81f5d7 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00063b5d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63B5D | 21569 bytes |
SHA-256: 26709b7ea63876d449a4643fb40d7ab374b82dd2c610d13a473a3a5563df30aa |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off00073d98.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x73D98 | 21569 bytes |
SHA-256: 7ee3a9992d4b8b5969cd341613208a3ff23e8aad91b20d82a58eced7fee70dce |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00083fd3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x83FD3 | 21569 bytes |
SHA-256: 23742f63d1567674b2bbbc3647a6b56a94ae790d3c186df195785f2c95fdc9b3 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0009420e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9420E | 21569 bytes |
SHA-256: 90d462d7d1e71b32c021f1ea51ebb58e6c1386bb654a135f2b0087f37f3f9e52 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.