MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains numerous OLE objects and uses \objupdate to force OLE activation, strongly indicating exploitation of CVE-2017-8759. This vulnerability allows for arbitrary code execution when a vulnerable MSXML version processes the embedded OLE object, likely leading to the download and execution of a secondary payload. The presence of large hex data blocks within the OLE object further suggests the hiding of malicious content.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1024KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 20 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 20
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002b6d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2B6D | 16961 bytes |
SHA-256: 669fc3e54e65a23b1b070642fcb1aff01dbf5208fb893c70b68eba656645c1a0 |
|||
objdata_01_off0001099f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1099F | 16961 bytes |
SHA-256: 83967c185668302f6db93f251acde19612716a82ddd6067cbafc17b3c0222327 |
|||
objdata_02_off0001e7d1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1E7D1 | 16961 bytes |
SHA-256: f7fa19f9cc458ca742feb64d26bab5675126fb79c9aeb104a0fee1a1144d4487 |
|||
objdata_03_off0002c603.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C603 | 16961 bytes |
SHA-256: aad4452c5be61a03d8ed847cb7b46f921fd673e94b700222e899ba08f9e830c0 |
|||
objdata_04_off0003a435.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3A435 | 16961 bytes |
SHA-256: 6e67044b4d13b8f658574df19a52f95b273556e91b55cc4a3ef3881520d96e82 |
|||
objdata_05_off00048267.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x48267 | 16961 bytes |
SHA-256: 026d256f961673d950edf7624f10ca7788f69c4ed1ffb2569cb5602fb5e38c99 |
|||
objdata_06_off00056099.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x56099 | 16961 bytes |
SHA-256: c4ea71888ef198a64729a13cceb797ed632ef903f3e0beadaa2d23540da5c5c2 |
|||
objdata_07_off00063ecb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x63ECB | 16961 bytes |
SHA-256: c25a9b84ce4f3165ecd06688ecf3a90d0386480b1ed5b5e8abbcc3a85f7582a7 |
|||
objdata_08_off00071cfd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x71CFD | 16961 bytes |
SHA-256: 6fe7bdf16c53d98fb0fca3cde93e3ff9bdb1c05b55f99496016ad929fa977a35 |
|||
objdata_09_off0007fb2f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7FB2F | 16961 bytes |
SHA-256: c55c86558161980aecec027733a069782087503aaa3a4d5fb8b9f565b1ab1e9d |
|||
objdata_10_off0008d961.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8D961 | 16961 bytes |
SHA-256: 6d5447015eb2023589b0da3709b4db3f0a89f6131680264f25aa87a3a85678b2 |
|||
objdata_11_off0009b793.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9B793 | 16961 bytes |
SHA-256: b0f763f322ac4961a9b91292fa9be5dbe7efc37925a9e9833047abf048bfbcbd |
|||
objdata_12_off000a95c5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA95C5 | 16961 bytes |
SHA-256: 4de4ab035978318d811ad83a317c8934dbc7845332b8a745ad634d90663fbf7e |
|||
objdata_13_off000b73f7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB73F7 | 16961 bytes |
SHA-256: 9f38f6c4936ef91d2c7f2104176422a6ed45aa46174155adfa759bf8f3903af1 |
|||
objdata_14_off000c5229.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC5229 | 16961 bytes |
SHA-256: 03ea46e465c48c18b27fa69a0d92bc0eefcaf389eff177a97c0e83f832d367e6 |
|||
objdata_15_off000d305b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD305B | 16961 bytes |
SHA-256: c9453f64adaa3db8fd2fd034505fec25be3d53352aa9869c8528759e81654ad0 |
|||
objdata_16_off000e0e8d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE0E8D | 16961 bytes |
SHA-256: 0dd40ab491a34c6c5a2b0428c2243bb62ebc809ddf80d9a27802ca7ed0e8770d |
|||
objdata_17_off000eecbf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEECBF | 16961 bytes |
SHA-256: caebd72dedd52e3cbb4a9dfa6b718abdfa560051ed7618fe7469fc5e6fb2dd20 |
|||
objdata_18_off000fcaf1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xFCAF1 | 16961 bytes |
SHA-256: e16ff7493e7a9897d64b9068a87ae4aaca8d57d3d034a2065472a9f743ffcb67 |
|||
objdata_19_off0010a923.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10A923 | 16961 bytes |
SHA-256: 4b785806dba8c47266b5229c37acd2201e694d21c47506fc73eb0534e7976e29 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.