MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003d73.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3D73 | 35899 bytes |
SHA-256: 8df27ca29e9d6a103345933777cb57a161c6cee636bf3cc36223ee8a7ab1dacb |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001ae69.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1AE69 | 35899 bytes |
SHA-256: 95eb37c1fe37c9fd3b57a8d0da5a681b2642d0cccb66ffbc115e417a60f28821 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031f5f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31F5F | 35899 bytes |
SHA-256: 158a8c211a03733400b50f0bccc0af57d40e4de2ee07612276778a9841bedbf8 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00049055.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x49055 | 35899 bytes |
SHA-256: ef607096d312924c6c4e661f57600f46e2a0de16db7b08fc6c424edf330f7274 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0006014b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6014B | 35899 bytes |
SHA-256: 3cfbbb5bad870062a5f1508708c8fe6b7123c55346b0f7d6637e0bcbec856659 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00078051.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x78051 | 35899 bytes |
SHA-256: c105bb9fece9d066149288e9b090f2546b2c2c5e8d23da3cecb90a67cfc253a0 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008f165.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F165 | 35899 bytes |
SHA-256: 802b9d12ef720a2c7154e5d33d43a645d7b7e702c8dcbb6a6c6b2f7cad3d9d7b |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a627b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA627B | 35899 bytes |
SHA-256: 90d33823f843c28d47054aaabb012cfad1f22e09b2830aa0253bc0ed910f7ea6 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bd391.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBD391 | 35899 bytes |
SHA-256: ca0190361f0b37dbdc84079126e916d32e00bd579bd639747df4ddd70925c6f4 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d44a7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD44A7 | 35899 bytes |
SHA-256: 53e91897263328799d944e5efb4ee8838eeca39520f8a283afcd9b1ef6841116 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.