MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c4b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C4B | 26683 bytes |
SHA-256: 27fc393dc810f8bd426a7fe2ef71f72bb0e07ac21ec3acdedd364c4ea884673a |
|||
objdata_01_off00015c72.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15C72 | 26683 bytes |
SHA-256: cac63fa4e3bae7583c97dca570384f4500250129e13e5eb87cac3bcae500bdc1 |
|||
objdata_02_off00028c99.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28C99 | 26683 bytes |
SHA-256: dd81e67fa7c63e06f021af2a5b0b598e88b110e196c9091788833a1a70730eee |
|||
objdata_03_off0003bcc0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BCC0 | 26683 bytes |
SHA-256: a2c31a865b5fa48e76036c226cd389a889c2e5fdf7a4062648a225c477c1d908 |
|||
objdata_04_off0004ece7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4ECE7 | 26683 bytes |
SHA-256: 92fc346ed7d38a0fb5ad8e1eafcdd007a47cbc0aedcf0c071f55d71bf4fb8236 |
|||
objdata_05_off00061d5a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x61D5A | 26683 bytes |
SHA-256: 31ce71325a40954c5b912eb163eaa664c53802315b08d0f3b94dc6fa668682de |
|||
objdata_06_off00074d81.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x74D81 | 26683 bytes |
SHA-256: c7cfd3441bcdf2bc917363c2f097eb02254bfc579702ebaa01d04f6796b76db5 |
|||
objdata_07_off00087da8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x87DA8 | 26683 bytes |
SHA-256: d40ec9a4da49ae7011d34717efe6dc805db78500303d766eb01d000a7f487a0c |
|||
objdata_08_off0009adcf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9ADCF | 26683 bytes |
SHA-256: 702fcbb47b9c946b564e3bfe5d7a459e2e02d37b164a2a0065c3348308f9eae6 |
|||
objdata_09_off000addf6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xADDF6 | 26683 bytes |
SHA-256: db15b8e6bd1fd6b9c44825a1eceecaeb8f28d43574fdf29e5e76fcdb9a5f164c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.