MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects, with a critical heuristic firing for CVE-2017-8759, indicating exploitation of MSXML SAX OLE activation. The presence of \objupdate directives further suggests an attempt to force OLE object activation. This points to a malicious document designed to exploit this vulnerability for client-side execution.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002959.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2959 | 17985 bytes |
SHA-256: d9975f2b48d57e28e9df38cd236914583014fdc27f0a04a9d3009ff6d9ff9435 |
|||
objdata_01_off0000c300.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC300 | 17985 bytes |
SHA-256: 8ee2b96ca3e934d40b61c439e102307412f0e5948ce43197b9139e4a19cca3d9 |
|||
objdata_02_off00015ca7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15CA7 | 17985 bytes |
SHA-256: d3b0c661255fbe8e5521cacb472155679fc0887998739dc7129ff96cf13756cc |
|||
objdata_03_off0001f64e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1F64E | 17985 bytes |
SHA-256: 799b0fd05f87e99c56d347e377a78d68c9ac473c8a28e2dacdbc64e971c2921b |
|||
objdata_04_off00028ff5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28FF5 | 17985 bytes |
SHA-256: 3acd9ffa746fdf5fef0c9eeded2793f31585cd8b6f04ff8f787f03d0083c3669 |
|||
objdata_05_off0003299c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3299C | 17985 bytes |
SHA-256: 7fda504c602c8905346cc8ab6812723ba17e58bec1caa201b06022b2a1b87773 |
|||
objdata_06_off0003c343.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3C343 | 17985 bytes |
SHA-256: 9c325e6a70c55dc5817b0a2a1d974d951850495799d78f390ad72588b3ab615c |
|||
objdata_08_off0004f691.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4F691 | 17985 bytes |
SHA-256: 4f14e22484bed945c5ac0a80b28925bef9c228cc89b88e8128946b79857fac35 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.