MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c17.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C17 | 26171 bytes |
SHA-256: 75699f158555fc715fea02764fe1cc3eae06b562ea59b07caf507cbf8ba1a1b7 |
|||
objdata_01_off000152bd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x152BD | 26171 bytes |
SHA-256: d4ff1eeeb1a1e1134bd200553cb12da0cf2724060d16d97825976ed889633b1d |
|||
objdata_02_off00027963.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x27963 | 26171 bytes |
SHA-256: ae8b0e24d51ede672e13df3e5276dcbfe14a44c99479bf6736986fc7a59918ae |
|||
objdata_03_off0003a009.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3A009 | 26171 bytes |
SHA-256: fccedf99e5ba8ba4f7f451f1a50593b25ed013062420f2db607623a18b5dc65f |
|||
objdata_04_off0004c6af.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4C6AF | 26171 bytes |
SHA-256: f341e94e20eb442f73982fedb38b12994371df85907e1e3eff55cfc87f95ed7d |
|||
objdata_05_off0005ed55.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5ED55 | 26171 bytes |
SHA-256: 668b5b810a2c19aa85bdab1c5e69ce1fa3f4c5bcf76509e157e1369b58271f3f |
|||
objdata_06_off000713fb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x713FB | 26171 bytes |
SHA-256: 1d75692e68c424e799d0c3e43de4a0b31cd38c5a747ea864d7c2970b0dfb5599 |
|||
objdata_07_off00083aa1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x83AA1 | 26171 bytes |
SHA-256: 08078545e98f8b4d2d456fce10f0170388f85f0eeb8a14560131e9c249802355 |
|||
objdata_08_off00096147.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x96147 | 26171 bytes |
SHA-256: 6cbff530a3a73c4dc7b53d7c165ed5b8b7a611392e2404673232af229ea4b77c |
|||
objdata_09_off000a87ed.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA87ED | 26171 bytes |
SHA-256: 157fb595379c66f95006c8f125f9d1c49ede00525945ff96ef1c5e3dd957418e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.