Xls.Malware.Agent-6836064-0 RTF malware analysis — malicious · 603c5d3dffc0ecfb

MALICIOUS

RTF

857.0 KB Created: 2017-08-08 22:25:00 First seen: 2017-08-27

MD5: c921896eb923b3c81e998146a4b8a3ae SHA-1: 1bdf8146522d49fa3ab365fb10188f535a8229b4 SHA-256: 603c5d3dffc0ecfb898bbab51130b7b1c95c95c0dba8691873eed5a21ef8a052

242 Risk Score

Malware Insights

Xls.Malware.Agent-6836064-0 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and triggers an update action, indicating an attempt to exploit vulnerabilities. Specifically, the CVE-2017-8759 heuristic firing points to a known exploit for MSXML SAX OLE activation. The embedded URL 'https://a.pomf.cat/pevdkr.exe' is highly suspicious and likely serves as a download location for a secondary malicious payload, consistent with the ClamAV detection name 'Xls.Malware.Agent-6836064-0'.

Heuristics 7

CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
ClamAV: Xls.Malware.Agent-6836064-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Agent-6836064-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 10 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://a.pomf.cat/pevdkr.exe In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002a36.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2A36	30254 bytes
SHA-256: `d2b1ee487e46f224eed8204e80384867cb7bb671b89319c35ea89b0426e13117`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_01_off00016e66.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x16E66	30254 bytes
SHA-256: `a68fe76dd2d11f026f09a620e248c8d7e15dbf27536499dc4937202220b09c17`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_02_off0002b296.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2B296	30254 bytes
SHA-256: `c26a9a5c3ecb1c4197d5fd9ea6bdbe9a525f5895e512f487185e9a20db3609a6`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_03_off0003f6c6.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3F6C6	30254 bytes
SHA-256: `90edda9f6984ab055bb4e5cfbf556e5506aea4a0c6ccdeae3e8b6e40bd0cbc9e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_04_off00053af6.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x53AF6	30254 bytes
SHA-256: `7b4831cfdee6832cbbd571bcd6930504f5e8f9e691a94a5a7bb24d6ba1feef68`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_05_off00067f26.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x67F26	30254 bytes
SHA-256: `106dc3099582dacfc9ea691622dced39c002c33a91db0faaab4a098804194d72`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_06_off0007c356.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x7C356	38446 bytes
SHA-256: `de84af52e5e02b8771bf41e2a1ae6df3f2ddbae52cc46564338286659db41f5f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_07_off00094808.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x94808	30254 bytes
SHA-256: `c82247b8eb8bcdbc140feacb484656929b6ea4fad8e6191674fd2fc11ca73adb`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_08_off000a8c38.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xA8C38	30254 bytes
SHA-256: `baa5b72b0d393037c2d2d0460ad6f2d8082e313e0fa3c96ff42fe2e191b2e51d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_09_off000bd068.bin`	rtf-objdata-decoded	RTF \objdata at offset 0xBD068	30254 bytes
SHA-256: `60224feaf2e17a0ccab2826b4dfa4c03109c9361370c953ac295eae8d8983105`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.