Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 215b7156548f04cf…

MALICIOUS

RTF

789.6 KB Created: 2018-07-17 14:06:00 First seen: 2019-05-31
MD5: a07d5ac32e1950e6033ec13a7e1c3af7 SHA-1: 880e74d8405a32bc00d3aabdb5460514c82b9de8 SHA-256: 215b7156548f04cf40c722189be95273d93e2cf8c53c396acca9ac94daf851ef
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating ".objupdate" forces OLE activation and the presence of Composite Monikers. ClamAV signatures identify the embedded content as Xls.Malware.Sload-7135989-0, suggesting an exploit targeting spreadsheet functionality. The primary attack vector is likely spearphishing, with the embedded OLE object serving as the malicious payload.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c2b.bin rtf-objdata-decoded RTF \objdata at offset 0x3C2B 27195 bytes
SHA-256: bd055ba0d436209073dd07221314034cfad7e4a31f866c42493a50dc23f5dee5
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off00016897.bin rtf-objdata-decoded RTF \objdata at offset 0x16897 27195 bytes
SHA-256: 8ae8db2aaea5063a4f9c504d0b09251112fbf70886847145e6127e2696cc41bc
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off00029503.bin rtf-objdata-decoded RTF \objdata at offset 0x29503 27195 bytes
SHA-256: 9437eb5e9b0000ce1b64e65e52e86c91d3dfa270efa6c628bfadf41545b5473a
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off0003c16f.bin rtf-objdata-decoded RTF \objdata at offset 0x3C16F 27195 bytes
SHA-256: 3c20494fe84a6497b602715fcdc94db01e676fdc019aa640126c51fe080aacb3
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off0004eddb.bin rtf-objdata-decoded RTF \objdata at offset 0x4EDDB 27195 bytes
SHA-256: d143e478a6140a38edd18947dc51ca5a1f2805cb92ba25c8645a7ce78de0da69
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_05_off00062857.bin rtf-objdata-decoded RTF \objdata at offset 0x62857 27195 bytes
SHA-256: cc0349a2a4bf362ed4175af0d586789d68793331b9ef022f023dd8ea4f82ff5a
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_06_off000754e2.bin rtf-objdata-decoded RTF \objdata at offset 0x754E2 27195 bytes
SHA-256: 2c0c04e7452b29cf29fc640d9b5e0c0b9e78069bec7f343eeb8f782994455d09
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_07_off0008816f.bin rtf-objdata-decoded RTF \objdata at offset 0x8816F 27195 bytes
SHA-256: 2e49e7938b7751c36d08291dd720307b34f8f2b8d03694b48b2444f34570c08a
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_08_off0009adfc.bin rtf-objdata-decoded RTF \objdata at offset 0x9ADFC 27195 bytes
SHA-256: b488e494eadb316916fcff31e4de977a2418336d98ad6a4cdcd4514d87781b5c
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_09_off000ada89.bin rtf-objdata-decoded RTF \objdata at offset 0xADA89 27195 bytes
SHA-256: 69ece0be78a02d652e190069b2c6aca5c246fe419a3c1d202844c5a0e5c69276
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely