MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d75.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D75 | 35899 bytes |
SHA-256: e6938906385aeea15b85d76b91f7f199126c3ac2b68962de3390cb8766b02ac6 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001ae6b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AE6B | 35899 bytes |
SHA-256: 09c45348c450e3aa18eac2c4747b9c4fabac75bc66107e65472fec4029cd2eff |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031f61.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31F61 | 35899 bytes |
SHA-256: 52cb251f98f77517076deb01fe9ecb0a24f431144fa2f75017625c325f04f39c |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00049057.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49057 | 35899 bytes |
SHA-256: 3eabc263d9b5062b06df490bb73e70de26baba86d413fbeb2e5caa3a670f17b2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0006014d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6014D | 35899 bytes |
SHA-256: de754c9e0b69e825d94fef9081bd804714ee0b3fd3b7e59a91ff66f81562b5d8 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0007805a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7805A | 35899 bytes |
SHA-256: 335ce98680fca86263655c593dd265ffe5e76b46d9e5359b10cbd4ea13f04155 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008f16e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F16E | 35899 bytes |
SHA-256: 7747011c54f63aeb300eb28b50bbc91936279fb0e346fce543432d9f2169e240 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a6284.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA6284 | 35899 bytes |
SHA-256: c8933c5f34c8a8a274eb9de48eb3cb9e3153dee014a8c490cef08ebc6129e543 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bd39a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBD39A | 35899 bytes |
SHA-256: 39e5734e92eab68d8a60eb5bcf75910c75c533cdba0416c1f6565d91f1760899 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d44b0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD44B0 | 35899 bytes |
SHA-256: 16299e96c4491aa6ded26ee509848f3ae89d7bc9e7257307fa2387d3d21a5db3 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.