MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers their activation via \objupdate, exploiting CVE-2017-8759. This indicates the file is designed to drop and execute a secondary payload, as suggested by the ClamAV detection name 'Doc.Dropper.Agent-6412232-1'. The exploitation of a known vulnerability points to a malicious dropper.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002d0c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2D0C | 33339 bytes |
SHA-256: 83854707b3e78cd1d1d8f855a10cbe513810df680667f679d673b96d5152cf3f |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00018caa.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18CAA | 33339 bytes |
SHA-256: b6cbb18e3fd962bea7f13ceb079acfdf530a07d41bd2f9e97c64d26613b7be72 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002ebfd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2EBFD | 33339 bytes |
SHA-256: 2bae19565e399508144e0f2f48f516f7d1b722f65bcdba318eac3ce73011ba59 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00044b50.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x44B50 | 33339 bytes |
SHA-256: b9b9f14ed39b7c64605080ecdac07680a65202497ef4d49a132cf59e36753ca7 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0005aaa3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5AAA3 | 33339 bytes |
SHA-256: 1725b494a4260be1135578fdff463d17d7b725ab82cd03aa73d6085107dd1e44 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_05_off000709fd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x709FD | 33339 bytes |
SHA-256: 212bee41c54104be2022e44cccb6740e8a7380eeb4663ae60bfdc1f2e940f4a7 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00086950.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x86950 | 33339 bytes |
SHA-256: 06516f60f6d50b490d63322b63a4d8eadff5ac48b1c561d14b5ec0399daa4754 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0009c8a3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9C8A3 | 33339 bytes |
SHA-256: 188d0252cd318b2d28c287d2c185aa9e1a11705de1bcad10e26e8e7ee1ec51ef |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000b27f6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB27F6 | 33339 bytes |
SHA-256: d203b0c8d589033a3d645ddd1e77609a49cf0cd17e9cbcbd83e2dc8d696cc52c |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000c8749.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC8749 | 33339 bytes |
SHA-256: ea3c7d48f6184021a223c1f4dd05441170e943b02bef9acf6a40d9cc0b2ad3e4 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.