MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains embedded OLE objects and is weaponized to exploit CVE-2017-0199. It attempts to download and execute a secondary payload from the URL https://a.pomf.cat/nyxeve.hta. The presence of OLE objects and the specific CVE exploit indicate a malicious document designed for initial compromise.
Heuristics 5
-
CVE-2017-0199 (OLE2Link / weaponized URL) critical CVE exact CVE_2017_0199_WEAPONIZED_URLRTF contains a URL Moniker OLE link to a script/HTA/template-style remote loader, matching the tighter static CVE-2017-0199 shape.
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6335035-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6335035-0
-
Automatically linked OLE object high RTF_OBJAUTLINKRTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
-
OLE object data medium RTF_OBJDATARTF contains 36 \objdata section(s) — embedded OLE objects
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://a.pomf.cat/nyxeve.hta In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00008ce7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8CE7 | 3760 bytes |
SHA-256: b00dba8abe8d2e3cdf067e29fd9a3169452ecaccb2204e5b36258ece3a58fb33 |
|||
objdata_01_off0001121a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1121A | 3728 bytes |
SHA-256: 02a6dec8380dd7f7896df28fa5bf6f83441eae5fbb47f707f12366c364adc7a2 |
|||
objdata_02_off0001970d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1970D | 3728 bytes |
SHA-256: ce8e7b9e6d1acd03fdb388eb7218d9cb0e26f444996256fd91a427f2fc1dc6e5 |
|||
objdata_03_off00021c00.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x21C00 | 3728 bytes |
SHA-256: b9cf030f39ebcca104b779e4e143663c963e7c3311b99d20f2bc2d175ad46763 |
|||
objdata_04_off0002a0f3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A0F3 | 3728 bytes |
SHA-256: 59a8d0374cfa4298de129ca14891e7d55bd06c6b30a60a3738298e38661463b5 |
|||
objdata_05_off000325e6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x325E6 | 3728 bytes |
SHA-256: 84accbb85fde65fdc60ee7b91469e427efc5fa8f6d2071d1d28f9f953d20ace1 |
|||
objdata_06_off0003aad9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3AAD9 | 3728 bytes |
SHA-256: 3de170aa1e22eb255b9e90fc9269e26d67e325382f942df1a3b3478c6ab2c9d5 |
|||
objdata_07_off00042fcc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x42FCC | 3728 bytes |
SHA-256: 6c98eb9dd72f1c17d44b6ec946d6bac90098fe15d3015e5aaa7c3b8b3e04bcbb |
|||
objdata_08_off0004b4bf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4B4BF | 3728 bytes |
SHA-256: cc7279bd67556d175c29ae8b0b9f4a1fcda845016b7bfd9767b2d955bba01200 |
|||
objdata_09_off000539b2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x539B2 | 3728 bytes |
SHA-256: 43337d2901e27e688e567e76a7823508332b3b37323338c1cdc747474b2c65f9 |
|||
objdata_10_off0005bea5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5BEA5 | 3728 bytes |
SHA-256: 2d11c6a3dc35187c98ed84a9099b70f3f293ab4b0812c108c92aeca7ec3977f8 |
|||
objdata_11_off00064398.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x64398 | 3728 bytes |
SHA-256: 0ef68718b0bd61f82eced2790d5ec9ec090dc6de565324265afeb6e4c5bc3e07 |
|||
objdata_12_off0006c88b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6C88B | 3728 bytes |
SHA-256: d929509637c6c2cdafeefb743403df5cc0d4ec0b5a5a2634633a36ed050c6419 |
|||
objdata_13_off00074d7e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x74D7E | 3728 bytes |
SHA-256: 768ea28000ffd0f2f475284e6a1d8fdd914140bb82182c44766f9dc26688ca3a |
|||
objdata_14_off0007d271.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7D271 | 3728 bytes |
SHA-256: 9c13a8b2c1e2bf129c9f70600023704c7554a225f29a9a21220092cc6a4cea93 |
|||
objdata_15_off00085764.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x85764 | 3728 bytes |
SHA-256: cc8274c3c37db185b59a8dec3cd9d2406abbc15091785277c64cf7966328e76f |
|||
objdata_16_off0008dc57.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8DC57 | 3728 bytes |
SHA-256: 66e517cccb7101478055668d9c83c2deb7b7b3a29a76d898f18a8b02da74b852 |
|||
objdata_17_off0009614a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9614A | 3728 bytes |
SHA-256: ea678e966c4acce273ef9498750dc36d3d7c23edb9ab8f0154fa3e1d7084df65 |
|||
objdata_18_off0009e63d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9E63D | 3728 bytes |
SHA-256: 135a717db652bdc33e91031cf51aae0987798fb6595e1c1e7d07801b356f5600 |
|||
objdata_19_off000a6b30.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA6B30 | 3728 bytes |
SHA-256: d4507abfc841b420ec17f4e0973de9d7634a80d3573d9d7bbd6f4f1a338b13b8 |
|||
objdata_20_off000af023.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAF023 | 3728 bytes |
SHA-256: 69c38b68cd0a3403fae8e9a8980c951e2e7473d609356b5c6d650984ba261394 |
|||
objdata_21_off000b7516.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB7516 | 3728 bytes |
SHA-256: bdc36563f049f4623b7fea49c7d3ba2d366a691cf79db41c9e7e9c62100442c6 |
|||
objdata_22_off000bfa09.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBFA09 | 3728 bytes |
SHA-256: b7170c6c7f806319cf7d831b1f1c0399b2f91ae7353206a44c4c579568bd351a |
|||
objdata_23_off000c7efc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC7EFC | 3728 bytes |
SHA-256: 8885620131da006ac1fceb6c779d5ad369539c42323c913de2cd7cf57e674a22 |
|||
objdata_24_off000d03ef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD03EF | 3728 bytes |
SHA-256: 4c5f5e0c3d1a9e54723643ac722e4171f1d89a3eb63240b944d7cad75ae96133 |
|||
objdata_25_off000d88e2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD88E2 | 3728 bytes |
SHA-256: e02c6b18f0eb956b3c8978d34b73b0345d6ea6ac92229b0862e9897d1627134a |
|||
objdata_26_off000e0dd5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE0DD5 | 3728 bytes |
SHA-256: b7a9c50f9d61f6883cb615c8f647bdf8d4f3190a0e7d0bc1ac45ae48c9799600 |
|||
objdata_27_off000e92c8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE92C8 | 3728 bytes |
SHA-256: a81aa9183a83147af7d0169245af7612927a28b38e1c085540ddd643949bcf71 |
|||
objdata_28_off000f17bb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF17BB | 3728 bytes |
SHA-256: a04eef77afb03a8cd1c58acab1ccf17120bd8673fab8071bd5c24c4d2687b3af |
|||
objdata_29_off000f9cae.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF9CAE | 3728 bytes |
SHA-256: fbbaed5886d1e8d4532968fa8cf8d5aa96e26b11bf6fa45fb7c64dba5bd16ed9 |
|||
objdata_30_off001021a1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1021A1 | 3728 bytes |
SHA-256: 69f32c08740b537afa7ddf533eec474c300e38882dafb643efd31a2565ab1fef |
|||
objdata_31_off0010a694.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10A694 | 3728 bytes |
SHA-256: 4897cb0b6c08183abc360a2f67ecd332ad53ec52be8967c27a5518c106afd4ce |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.