MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. Critical firings for CVE-2017-8759 and ClamAV detection confirm the exploitation of this vulnerability. This suggests the file is designed to execute malicious code via the embedded object, likely as a downloader for a second-stage payload.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002a87.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2A87 | 26171 bytes |
SHA-256: 9c5e0c2a29b3914ca8df6bddb76b2561dc7ee8c4956b35f2c198a7bb8970f7ad |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off000150d6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x150D6 | 26171 bytes |
SHA-256: adfedcb8776dd46400f2321bec34ec6b84b8bccd27f0d72195cc9dd3f414b782 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00027727.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x27727 | 26171 bytes |
SHA-256: 376e65e2fa01a61107164ed7c00d2eb541ef6e26ee2a165ba0174514c541607a |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00039d78.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x39D78 | 26171 bytes |
SHA-256: 8b62eae15d5fa2ca0131146172b34741f04d20329948d9af628a7c9b49a93492 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004c3c9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4C3C9 | 26171 bytes |
SHA-256: 7c9588b8045a7bb4ddf113a9bbe638004fa02406a951d033a10bd896b519671e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off0005ea1a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5EA1A | 26171 bytes |
SHA-256: 59524809b8cf1ef0cd0971e952870f8e033f7ea6fc0c7d8bde2610a932ad2d10 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007106b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7106B | 26171 bytes |
SHA-256: a3c5f1b5edb653fa210873b3bc5b2e0b303a86eaacc3915b0016a3378a5e794b |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000836bc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x836BC | 26171 bytes |
SHA-256: 48d95c4cfffcd92012fb2f7810a74ca6f431d5de177eaa69bac78bf51cd12d42 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off00095d0d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x95D0D | 26171 bytes |
SHA-256: 1f76ab4b94338d4e854f613aa56d8adb764e4c9450cf73293d56427d595fcfaa |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000a835e.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA835E | 26171 bytes |
SHA-256: c4498a7e0ddad49dd84e36d8b3433665c87f7d7bd4c1923001e75146010c3c67 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.