MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains an embedded OLE object that is activated via \objupdate, exploiting CVE-2017-8759. This technique is commonly used by droppers to download and execute additional malware. ClamAV identified the sample as Rtf.Dropper.Agent-7384550-0, supporting its role as a dropper.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Dropper.Agent-6934217-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6934217-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 15 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003555.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3555 | 19515 bytes |
SHA-256: 7d5ed994a5a63726f2321a03129a093f3d87a280636d377d5413f3084c3b5678 |
|||
objdata_01_off0001276c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1276C | 19515 bytes |
SHA-256: 2867d8f7fbdfcfb1f9a02946b7be47b9fde8393a5d8a7e17607ca4955a1150a0 |
|||
objdata_02_off00021983.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21983 | 19515 bytes |
SHA-256: 4946edaa3e0ee5df88caae7920ddc7dedb14ad7faf60ca7ad68f41d754cc2cbb |
|||
objdata_03_off00030b9a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x30B9A | 19515 bytes |
SHA-256: d170c419384c2ec490ed753bfaad3c9d10413150d9363b6faacad9229d8ff7d1 |
|||
objdata_04_off0003fdb1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3FDB1 | 19515 bytes |
SHA-256: 9a0376185684d4bf10a0e36e56a00a04edd987b86622116db68082bb832f7b84 |
|||
objdata_05_off0004efc8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4EFC8 | 19515 bytes |
SHA-256: 4b470842d85f8882dfef08be065467a0bc8a4dd08ca60a83089174b479e427f5 |
|||
objdata_06_off0005e1df.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5E1DF | 19515 bytes |
SHA-256: a261f2c116f7072f5964fbc466b143808d63487b96d2bfa3d3a0f527c193e196 |
|||
objdata_07_off0006d3f6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6D3F6 | 19515 bytes |
SHA-256: f0796bcb24239d90e00dc32688bef05dc2a1f37083cea0715b60fd70b851de2c |
|||
objdata_08_off0007c60d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7C60D | 19515 bytes |
SHA-256: 7932a5d8718e0f151fb7244db8b1dcef838a8de9c9b2a1df0e302c6a4f09d545 |
|||
objdata_09_off0008b824.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8B824 | 19515 bytes |
SHA-256: 6f475d13bd3bb10df8e5d3fc1608375cb8fff1bada5d9b7ea75503c930cdb515 |
|||
objdata_10_off0009aa3b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9AA3B | 19515 bytes |
SHA-256: c6e4bdff6297868c04bcfecf207ecac0bbaaf188b68db5fc217e65a6155ceb75 |
|||
objdata_11_off000a9c52.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA9C52 | 19515 bytes |
SHA-256: 4febab8cd1214f505b87de2ef3e7a33399715d77e1efe8e0ceb3989b44b9028b |
|||
objdata_12_off000b8e69.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB8E69 | 19515 bytes |
SHA-256: 3023a511bf801b59f1fa663fecbaa678df1ebf63785ee67981122e89083f0ef0 |
|||
objdata_13_off000c8080.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC8080 | 19515 bytes |
SHA-256: 49d8347209e6da2807569d21f36878644b1f47a81f748f4e8804cc969747d5f4 |
|||
objdata_14_off000d7297.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD7297 | 19515 bytes |
SHA-256: c0ea0bbc8f9e9e0999612101115cbf75f66f1e2c991b66a23cde72cfae392eba |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.