MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cb6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CB6 | 26171 bytes |
SHA-256: e6094b6d315134bb5b4f05033d848696c48e094247b6731ebb9092064ddb160d |
|||
objdata_01_off000159db.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x159DB | 26171 bytes |
SHA-256: 0adc1960ccdcf468b2d108a518c78e539c7f52d6b74b8eb150c131761c8e40fe |
|||
objdata_02_off00028a9d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28A9D | 26171 bytes |
SHA-256: 8644d29b73e2c7e03a5e137d2688c6fa58f0a196c66aada730517ce68f8f157a |
|||
objdata_03_off0003bb5f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BB5F | 26171 bytes |
SHA-256: f14c852eec5ccb1bbcdb11757af6aed8cec54fd52fcd42eb3aa34a38f62ab547 |
|||
objdata_04_off0004ec21.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4EC21 | 26171 bytes |
SHA-256: f55e6bb4233fc7264d4e30bc34fe8c35a04b1a988dcecc5dd6aeac31bf64ae5b |
|||
objdata_06_off00074a87.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x74A87 | 26171 bytes |
SHA-256: 030a883fff1ff4c775e65489e8e44d6ed6653c9b570c7fb2e479fd34a8620f7c |
|||
objdata_07_off00087b49.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x87B49 | 26171 bytes |
SHA-256: eb170297f65a6c28780c731440e428501f437ca74db6e4b5bac6336691ff832a |
|||
objdata_08_off0009ac0b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9AC0B | 26171 bytes |
SHA-256: e19b8811cb4ff3de5ed550fa0eca64470c1bcaa6cd74a2dd8d813dc06b02e3b2 |
|||
objdata_09_off000adccd.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xADCCD | 26171 bytes |
SHA-256: 9f1a88687ee0d142457385fe14b4ff6678a6b7acff78915d20ed9ce35880ffa7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.