MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains numerous OLE objects and uses \objupdate to force OLE activation, strongly indicating exploitation of CVE-2017-8759. This vulnerability allows for arbitrary code execution when a vulnerable MSXML version processes the embedded OLE object, likely leading to the download and execution of a secondary payload. The presence of large hex data blocks within the OLE object further suggests the hiding of malicious content.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1024KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 14 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 14
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c9d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C9D | 26683 bytes |
SHA-256: c3f7962da36c4a48535645a1aebbbb257052395a549e3ae1cc77f22ba6829073 |
|||
objdata_01_off00015d29.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15D29 | 26683 bytes |
SHA-256: 9a6583e7c3f90510446f9a57c26dcc25d865f43414322dc40993405ab79c1aab |
|||
objdata_02_off000287d3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x287D3 | 26683 bytes |
SHA-256: 381c230d288c468b715cb90f63408668394d1c088b24647e4f532198bfc54603 |
|||
objdata_03_off0003b27d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3B27D | 26683 bytes |
SHA-256: c283e497c69ce890b7df4f88b873ed6ef7a3c4d7bf18135a50b566fc03375bf9 |
|||
objdata_04_off0004dd27.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4DD27 | 26683 bytes |
SHA-256: 26beb19dc5d7027918094fe182673230934754c827e7fc09e47bd2275147f508 |
|||
objdata_05_off000607d1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x607D1 | 26683 bytes |
SHA-256: 1ad9c0881215ea48bb5ab616e64a07a3fcf1885a82706e69e1f8e3639b676bfc |
|||
objdata_06_off0007327b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7327B | 26683 bytes |
SHA-256: eba44b653694983883e1efd565a4e2337131a85706cb3adc2349a084c9741d52 |
|||
objdata_07_off00085db9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x85DB9 | 26683 bytes |
SHA-256: 12357372c9cf1db85e131621b4217f60a74acf65cfae3ebfcd6b6ed5d4183ff6 |
|||
objdata_08_off00098e45.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x98E45 | 26683 bytes |
SHA-256: 48eed09474b9f8423444ffa4ac81796221d9e36dc8119544ca838d0ebcfd6ea1 |
|||
objdata_09_off000ab8ef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xAB8EF | 26683 bytes |
SHA-256: b3839f7366f3d6c7c93fc597b0f7a9b8aafe2126b29106ebc680665b23b58785 |
|||
objdata_10_off000be399.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBE399 | 26683 bytes |
SHA-256: ef084d6c7d45f5f0a5876370945dbb39cbf20d49c1e9377867f46cc0ccfebed7 |
|||
objdata_11_off000d0e43.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD0E43 | 26683 bytes |
SHA-256: 35d2c467c5fa6461b1e446b68004945d9deb8e2d3e28b62ff692a16593f308bb |
|||
objdata_12_off000e38ed.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xE38ED | 26683 bytes |
SHA-256: 8c8189cf142a299cc302168962cbe94bf3a173a343b41ec89538ca6bb09e2c2c |
|||
objdata_13_off000f6397.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF6397 | 26683 bytes |
SHA-256: eec5fbfbebb3cedb79df347ff5d8c359dd691a4ece7acd41195efbe837037b49 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.