MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains an embedded OLE object that is activated via \objupdate, exploiting CVE-2017-8759. This technique is commonly used by droppers to download and execute additional malware. ClamAV identified the sample as Rtf.Dropper.Agent-7384550-0, supporting its role as a dropper.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Dropper.Agent-6952931-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6952931-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00004d78.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4D78 | 21051 bytes |
SHA-256: 2a0b2225ae0862623fb06583739f8dcbf6a74a23539e11f34dd97050744691fa |
|||
objdata_01_off00011908.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11908 | 21051 bytes |
SHA-256: c4c2b14eecdca76ccda9810db49bf196c78fd82e75aa71dff6f38b960edfe76e |
|||
objdata_02_off000216eb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x216EB | 21051 bytes |
SHA-256: 008033d4e61ea133c2ded6d6b83d4ce2ca9d62832727a50314212294f404449f |
|||
objdata_03_off0002e27b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2E27B | 21051 bytes |
SHA-256: aff88e90c40f03733555e42db8b0b33c634e3b7787ef28e4b3f04970f20b5c75 |
|||
objdata_04_off0003e05e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3E05E | 21051 bytes |
SHA-256: fa64a4bd94d036c1754458e85cd870daaa414e5d88a8fb25782c03124debdf1c |
|||
objdata_05_off0004abee.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4ABEE | 21051 bytes |
SHA-256: db26f950fc01a3aa0ee6422b7c4ac2fc98f8c0e5b999910d3303ca5d73388710 |
|||
objdata_06_off0005a9d1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5A9D1 | 21051 bytes |
SHA-256: f5970eda0dea0f7d374cacc0628dc4a8975a55558cd1b37e0a41ab3e2f2f2458 |
|||
objdata_07_off00067561.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x67561 | 21051 bytes |
SHA-256: 520aa3b88fffc0ec662b323a9b8bbe006563780b30672a7de6d5e191890d856d |
|||
objdata_08_off00077344.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77344 | 21563 bytes |
SHA-256: 012315366ca90adb73129f23b791a76610e2449e9287339474603386f2d17fb4 |
|||
objdata_09_off000842dc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x842DC | 21563 bytes |
SHA-256: e6d7a0b2944cd743ba5174aba475d8ca582b8709e9c1d2294cbf253d3e561be9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.