Xls.Malware.Sload-7135989-0 — RTF malware analysis

Static analysis result for SHA-256 71ea8894d4656933…

MALICIOUS

RTF

789.6 KB Created: 2018-07-17 14:04:00 First seen: 2019-11-20
MD5: 384209ca082bb1491ca8dbf6b7fbe42a SHA-1: 56260275521653fdee760f3f0b59839a37605bcd SHA-256: 71ea8894d4656933a13476da57b1c31e1192fb8bb7d487a8260a09344b6ed553
242 Risk Score

Malware Insights

Xls.Malware.Sload-7135989-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple OLE objects, with heuristics indicating ".objupdate" forces OLE activation and the presence of Composite Monikers. ClamAV signatures identify the embedded content as Xls.Malware.Sload-7135989-0, suggesting an exploit targeting spreadsheet functionality. The primary attack vector is likely spearphishing, with the embedded OLE object serving as the malicious payload.

Heuristics 6

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00003c28.bin rtf-objdata-decoded RTF \objdata at offset 0x3C28 27195 bytes
SHA-256: 5e8acd93b10233f39d98da093657b04c5fd61a3af61a9e0a2e20c661ce24725f
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_01_off00016894.bin rtf-objdata-decoded RTF \objdata at offset 0x16894 27195 bytes
SHA-256: 212e12bbd411fb3f58d7e344edd828165e052e76d354338ea50f1b08a74150c1
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_02_off00029500.bin rtf-objdata-decoded RTF \objdata at offset 0x29500 27195 bytes
SHA-256: 22dde1a39aaf1947cdd6a37172e9b12ff7ea6a4f4973eebed8504033f99c51bc
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_03_off0003c16c.bin rtf-objdata-decoded RTF \objdata at offset 0x3C16C 27195 bytes
SHA-256: 39a29b8f363b2a81be4c5dd49540dabb2d79e3089abd28685f0b84f398ccc396
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_04_off0004edd8.bin rtf-objdata-decoded RTF \objdata at offset 0x4EDD8 27195 bytes
SHA-256: 6880392877655775022aa095b1ad57978a3788d82a833588ffcd9908ab233041
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_05_off00062854.bin rtf-objdata-decoded RTF \objdata at offset 0x62854 27195 bytes
SHA-256: 81c363b025d81e7dde43de6f5bfe80230406b67acaf9d147e5b3a33c86ed986b
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_06_off000754de.bin rtf-objdata-decoded RTF \objdata at offset 0x754DE 27195 bytes
SHA-256: c7870da06bd4c3f3319e51e70da5cf67b9f21bdd9044759ced67b67debee1656
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_07_off0008816a.bin rtf-objdata-decoded RTF \objdata at offset 0x8816A 27195 bytes
SHA-256: a8bbedae01b998130db5d31528081e82fcc86a70a601a0faf7e01a4710eb08b7
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_08_off0009adf6.bin rtf-objdata-decoded RTF \objdata at offset 0x9ADF6 27195 bytes
SHA-256: 1fcd6e94f3f7dce9f562dee4336fa33bdad86f522d21ab46147f4fcb79a13ddb
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely
objdata_09_off000ada82.bin rtf-objdata-decoded RTF \objdata at offset 0xADA82 27195 bytes
SHA-256: 52fd123ff6e07bebe5cd014215f9065d0233178a162e77b02a015cf1dadad984
Detection
ClamAV: Xls.Malware.Sload-7135989-0
Obfuscation or payload: unlikely