Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 342300f4fd02d031…

MALICIOUS

RTF

515.7 KB Created: 2018-06-19 10:53:00 First seen: 2018-07-04
MD5: ea1d2342f73d62e6b454b6bc3645f7cd SHA-1: 63694ab0e718d84b68c3e294eadc2255e8a562b1 SHA-256: 342300f4fd02d031f56642644a9a7b1bbfe83fe1ac893b4341a04f91c0365155
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating ".objupdate" forces OLE activation and the presence of Composite Monikers. ClamAV signatures identify the embedded content as Xls.Malware.Sload-7135989-0, suggesting an exploit targeting spreadsheet functionality. The primary attack vector is likely spearphishing, with the embedded OLE object serving as the malicious payload.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 5 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000049fc.bin rtf-objdata-decoded RTF \objdata at offset 0x49FC 35899 bytes
SHA-256: 13633cb71acbef17f41f034fcb09d11825586f063afb49feafc3a117c6139543
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_01_off0001ba46.bin rtf-objdata-decoded RTF \objdata at offset 0x1BA46 35899 bytes
SHA-256: 62a8bb89780901f40565c346e01acc4900d7ae1b44306b0ea5f491e9b13825f2
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_02_off00032b97.bin rtf-objdata-decoded RTF \objdata at offset 0x32B97 35899 bytes
SHA-256: d88fa8e6a1f9a6b86a0d51a42ebcb3a88587a7a5087dbd93f82aab5102ada562
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_03_off00049ce8.bin rtf-objdata-decoded RTF \objdata at offset 0x49CE8 35899 bytes
SHA-256: 0119115eea20ab86cda8d0d4888afb21c9a5d61c97d94fae7e068330cd3657de
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely
objdata_04_off00060e39.bin rtf-objdata-decoded RTF \objdata at offset 0x60E39 35899 bytes
SHA-256: bd3fbc002b355a1801151a16bc4b581b7558f82740f11600c2fe420a7b8bf577
Detection
ClamAV: Xls.Malware.Generic-6834349-0
Obfuscation or payload: unlikely