Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 26606fc53642fc0c…

MALICIOUS

RTF

789.6 KB Created: 2018-07-17 14:20:00 First seen: 2019-01-11
MD5: 68af5204d88863e0de71483e4ba1d0b1 SHA-1: 049e5a2814d5bc245a932f03f6c27fd9d80273d3 SHA-256: 26606fc53642fc0c998788b1e9f2a9a669af17476f14c20082d36a2997f2c699
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating ".objupdate" forces OLE activation and the presence of Composite Monikers. ClamAV signatures identify the embedded content as Xls.Malware.Sload-7135989-0, suggesting an exploit targeting spreadsheet functionality. The primary attack vector is likely spearphishing, with the embedded OLE object serving as the malicious payload.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c2d.bin rtf-objdata-decoded RTF \objdata at offset 0x3C2D 27195 bytes
SHA-256: 0a745a4d4b62aaa42d8c4c118f0dd9505c497ffa9561d5b8ac7cdc5a0b6c4457
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off00016899.bin rtf-objdata-decoded RTF \objdata at offset 0x16899 27195 bytes
SHA-256: 653cf65b815d602afd9248bffa10091f90911abef781b760edc07b6b451ac3e6
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off00029505.bin rtf-objdata-decoded RTF \objdata at offset 0x29505 27195 bytes
SHA-256: 6975fbbbc46d8be5f0e9305b5392795624e4f78ed3aea3950c597d4eac847679
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off0003c171.bin rtf-objdata-decoded RTF \objdata at offset 0x3C171 27195 bytes
SHA-256: aacb87b25427801a5d6d2a2a72df70fa6655b18fbfb7a79c991e5e223c4af2e1
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off0004eddd.bin rtf-objdata-decoded RTF \objdata at offset 0x4EDDD 27195 bytes
SHA-256: 40398808b954c2c73aa0f02428d7fb1c4ba150cbadd8b8c0c4cfe3d19cbc3740
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_05_off00062859.bin rtf-objdata-decoded RTF \objdata at offset 0x62859 27195 bytes
SHA-256: 3642a3eaebebb823f35322b2c7bfb2e058c3284a5ae17d8f6efa2197d04fe175
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_06_off000754e4.bin rtf-objdata-decoded RTF \objdata at offset 0x754E4 27195 bytes
SHA-256: d3222a73dacffc910cdff223d988d3a600fcd26daedd7d8103b44e2216ea6f4b
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_07_off00088171.bin rtf-objdata-decoded RTF \objdata at offset 0x88171 27195 bytes
SHA-256: edac9ddb428930adba1d7adbe7c9cc085bc463ac805d73b277577654286665cc
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_08_off0009adfe.bin rtf-objdata-decoded RTF \objdata at offset 0x9ADFE 27195 bytes
SHA-256: be6647a6fa87216a3963aae8c40028a98413f4166e7de5422bbf77d053d10833
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_09_off000ada8b.bin rtf-objdata-decoded RTF \objdata at offset 0xADA8B 27195 bytes
SHA-256: 4f997265a92769ce69f24515f0ff975dee16eb0c5a2abdbe983d69eee1115781
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely