MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d19.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D19 | 35899 bytes |
SHA-256: 6f8a6f4d11c9b51e6d67cd1b5380fc0c5e0d435681de78580a684da0c260231f |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001ae13.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AE13 | 35899 bytes |
SHA-256: c16be61e57d702fa6f256c754be90b01039025e337e7f3c1ee6c3ac23035aef2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031f0d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31F0D | 35899 bytes |
SHA-256: 62a49b37042c7a119992f1b7697c57a06041eb5f4d69d51ff6a0da73a07daefb |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00049007.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49007 | 35899 bytes |
SHA-256: c5002978044a5c45c6a81573f15d5a62b431a3a2aaaea80fcb807511fac5223d |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00060101.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x60101 | 35899 bytes |
SHA-256: 759d352acbe776e1db2d79fc58e5e3a095ac823158a4db65b5afbafbc90745c4 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00078017.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x78017 | 35899 bytes |
SHA-256: 649919986114504a9db6db41d9947265020df700d5b4d887b72beb0b03c45121 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008f12f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F12F | 35899 bytes |
SHA-256: 24e9d5f49119a38b48117ff50bc9a24cb6d4202b448e8c3e12389eb4407cbad4 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a6249.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA6249 | 35899 bytes |
SHA-256: 16761b6438ca14951f4e19f8fe5b1f844c8fbf809352617d31e405ac031b1c62 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bd363.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBD363 | 35899 bytes |
SHA-256: d58d24baa19761f7ff6a5a0262bbee2c83199a79a873fbe1ee394e5b97484cfb |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d447d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD447D | 35899 bytes |
SHA-256: 9323148851da454041557ec432af911f029a97d15068b8e5cc3ecf86586d5c32 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.