MALICIOUS
382
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1027 Obfuscated Files or Information
The file is an RTF document containing multiple embedded OLE objects. High-severity heuristics indicate the presence of hex-encoded data within these objects, including a PE header, strongly suggesting the embedding of a malicious executable. ClamAV detection confirms this, identifying the file as Win.Trojan.Patchwork-9965917-0. The document body, a registration form, is likely a lure to encourage the user to interact with the malicious content.
Heuristics 10
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
ClamAV: Win.Trojan.Patchwork-9965917-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Patchwork-9965917-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1127KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 3 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.thawte.com0
- http://ts-ocsp.ws.symantec.com07
- http://ocsp.verisign.com0
- http://schemas.microsoft.com/office/word/2003/wordml
- http://crl.thawte.com/ThawteTimestampingCA.crl0
- http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
- http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
- https://www.verisign.com/rpa
- http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
- https://www.verisign.com/rpa0
- http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
- https://www.verisign.com/cps0*
- http://logo.verisign.com/vslogo.gif04
- http://crl.verisign.com/pca3-g5.crl04
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00117b99.bin97ac5ddf7f91bb00dda49b332d7f50c3da8d9b9229593c8bb8b160f56ed46937 |
rtf-objdata-decoded | RTF \objdata at offset 0x117B99 | 348670 bytes |
objdata_01_off001c8d54.bin71021a4f89374a29b06163945c3385ef88a5e85a7c5e06d6294c3649a5dfa1fa |
rtf-objdata-decoded | RTF \objdata at offset 0x1C8D54 | 284122 bytes |
|
Detection
ClamAV:
Win.Trojan.Patchwork-9965917-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0025a3a8.bin05ecaf80f94647e76b6d87e983944c97e3be003b7600386d1a595cca6847e885 |
rtf-objdata-decoded | RTF \objdata at offset 0x25A3A8 | 38214 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.