MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. Crucially, the CVE-2017-8759 exploit is detected, which targets MSXML SAX OLE activation. This suggests the file is designed to exploit this vulnerability to execute arbitrary code, likely by downloading and running a second-stage payload.
Heuristics 6
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Macro.Obfuscation-6391394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6391394-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 12 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c4f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C4F | 27707 bytes |
SHA-256: 952178dd16a8f10426c77b477a0c6adee2fb95a3dd64a9eb324c45ba059d82a4 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016486.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16486 | 27707 bytes |
SHA-256: 5a12ce456497ab95cb45e7f3af55a4cd61b1f06b2b1738fc49c7cd50fd3f649e |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00029cbd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x29CBD | 27707 bytes |
SHA-256: 0798c3017ef1f89332c79033b05b48e0c19272c7451d446eb4dfc5120ff5eac1 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003d4f4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D4F4 | 27707 bytes |
SHA-256: e0f82222945f1c3c8e2d3c84a569bb71981557e6ec0402d5540733b2af766ce9 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00050d2b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x50D2B | 27707 bytes |
SHA-256: 8b93bd34388d16d14bf4e6a981ab6ebc0c67b4a3fa127e2f75e0367fa8bb733d |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00064562.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x64562 | 27707 bytes |
SHA-256: 6d3e1d09a6f6aac5de9f178b3ed15381ff9796b866e628bc42f2b556b9f22473 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off00077de5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77DE5 | 27707 bytes |
SHA-256: 76bdea4878b96b9bd0cfa2e5840250a76fd12ee5df92069aac6c6adf968d68b6 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008b61c.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8B61C | 27707 bytes |
SHA-256: b61d904a734c4b5f10c937807b476b7837068d4e23abe60a1819055ae359fcb6 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0009ee53.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9EE53 | 27707 bytes |
SHA-256: d52a5b68b9f2d949f9c9641ccec66865719b3386339cd0768f42e8b51e81891c |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b268a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB268A | 27707 bytes |
SHA-256: 4ea44a35a76c5ee1dafb4a992c4a5d9e44331b975a909f6d16112f0759f5e747 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_10_off000c5ec1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC5EC1 | 27707 bytes |
SHA-256: 343f39b9dbc669b766daccd7b8defd2b7247b7ff28b81a37eaee97f4b4440721 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
objdata_11_off000d96f8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD96F8 | 27707 bytes |
SHA-256: 97dfc66d439284beb8c6f28edfb32f2552e8fd598fede53fabb4e5a40e9c8e09 |
|||
|
Detection
ClamAV:
Doc.Macro.Obfuscation-6391394-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.