Xls.Dropper.Agent-7085223-0 RTF malware analysis — malicious · 50865e10791dab7c

MALICIOUS

RTF

690.6 KB Created: 2019-07-23 10:51:00 First seen: 2019-12-09

MD5: f560eed28f6515919d2cef9bb33777b8 SHA-1: cb4742b67e188b94c1420890604560cedad7880c SHA-256: 50865e10791dab7cb84399bde45eff4f1c82716b14e92f6e0c13393052ae18e9

242 Risk Score

Malware Insights

Xls.Dropper.Agent-7085223-0 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with a critical heuristic indicating exploitation of CVE-2017-8759 for OLE activation. This suggests the file is designed to execute arbitrary code via the embedded objects. ClamAV detection as 'Xls.Dropper.Agent-7085223-0' further supports its malicious nature as a dropper. The embedded objects themselves are suspicious artifacts that likely contain the next stage of the attack.

Heuristics 7

CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
ClamAV: Xls.Dropper.Agent-7085223-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7085223-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off000028ff.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x28FF	98862 bytes
SHA-256: `c6744ec22963ea3e87eff94fd41ff14a4e9096c787ddf5ed2bc4ecc4900e51dc`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_01_off00038bb2.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x38BB2	98862 bytes
SHA-256: `61977fcb6d717d11bc58e7aa544dcea2b4e6b9bc54c1a177877c678a85a017b8`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_02_off0006ee65.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x6EE65	98862 bytes
SHA-256: `3b0017a2a41e18cb57fdcd6b0efa778b4aa8835705432d89fcaa2181b99389bc`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.