MALICIOUS
282
Risk Score
Heuristics 7
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1006KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 15 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 13
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003cfe.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3CFE | 35899 bytes |
SHA-256: 0c3a0c0604a83a929695d12f3bd3b60a0ba98ce3ba2df3b803ba79509dfffeaa |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001adde.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1ADDE | 35899 bytes |
SHA-256: aeda1846d61e655e0fb18ec5598be2aec90e1ba7f256c1b2404888543d575f8a |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0006007e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6007E | 35899 bytes |
SHA-256: 75eb3af4911a4d03fea068e3f45c9f97ac73d92e1bf2eedffa10412f959fcd4e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00077fab.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77FAB | 35899 bytes |
SHA-256: 2b0fdf59429672860d9129b9d1e0b710e08843345f3bf07428bee314063dd60a |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008efe2.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8EFE2 | 35899 bytes |
SHA-256: 87adf6b625aa17299b0b6dddbe7526c823b415685e52f561946e00cf3376945b |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a6120.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA6120 | 35899 bytes |
SHA-256: 47cb382e0be54dc11f5589849834e1ef1c0328551063a812d565f63f01c766ae |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bd25e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBD25E | 35899 bytes |
SHA-256: 9b22544f4b830790418f8e51af71925858fe3ecba8a7b8274884f2f915941082 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d439c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD439C | 35899 bytes |
SHA-256: 29cf4e597c7b8e436670a5a46a6a197b8ea050f1a4ab90b15df20a3647f6ace4 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000eb4e1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEB4E1 | 35899 bytes |
SHA-256: 6a00eb25ff88abd7c6b34aff4c935fe6ede5292722332870ed4be30cf754dd7a |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off0010261f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x10261F | 35899 bytes |
SHA-256: 0d5b7cfb1c46cac14b42aa20bb0a0c05b04641376a00a7af4b36694ccea9145c |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_12_off0011975d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x11975D | 35899 bytes |
SHA-256: d902f30c21dbe8cb7ca5a4804d470987da2ca0c58847911ea6461aff20ebb06f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_13_off0013089b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x13089B | 35899 bytes |
SHA-256: 51d7561f1eae4d98ce0873893fa2c22e5b166d335313543ddd351cfce1e2de86 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_14_off001479d9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1479D9 | 35899 bytes |
SHA-256: 0d41d6d5ef1a67d1cfbf783c64481479817ea5ac09117529280bf365f6ec6f63 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.