MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0000291d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x291D | 29243 bytes |
SHA-256: 34d61e9f10f3ee079b8f776ef0b490aef7b827b55aae6e1d0f79ff72b1a7c981 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001654a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1654A | 29243 bytes |
SHA-256: cec8929930978db74cd563540b902f4b64f10f722973458fc60acff1f858a035 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002a1f3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A1F3 | 29243 bytes |
SHA-256: eebe500845f6ad6afd6785df3eb6ce39b4b0e6566470e84929305e102c4c6fa2 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003de9e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3DE9E | 29243 bytes |
SHA-256: b067770d1aea8afff2ee775161b8e05d9ef0c0d9e454895ee66aab1c5c2c337b |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00051b49.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x51B49 | 29243 bytes |
SHA-256: 52c0b9a802405fc1e6d84c7e124b90d7c654ddd9cb0c87fb5478945c90489838 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000657f4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x657F4 | 29243 bytes |
SHA-256: 6edd1f0c93907360c57517b1ce6e1d3f3c59fda68a64a9d24566050a725c5087 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007949f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7949F | 29243 bytes |
SHA-256: 1f863be3411fad0186c040e48dc0f4484572b1882f2d255b6b4befc491f65387 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008d14a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8D14A | 29243 bytes |
SHA-256: 1205f9659051fc6d69800f5f9ac2057f4156f52aa1eff7bc47cfce9c053e85c9 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000a0df5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA0DF5 | 29243 bytes |
SHA-256: e82b926cc14a17c701dec2d9b2bc63719196dd5c9b62fba5c0451ee862fafd30 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b4aa0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB4AA0 | 29243 bytes |
SHA-256: 8fdd655cc247a7505e16b710aa6cce6749f49c19e4a3e4d6701b860092f3b9e5 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.