MALICIOUS
242
Risk Score
Heuristics 6
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Xls.Malware.Generic-6834349-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6834349-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00003cef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3CEF | 35899 bytes |
SHA-256: 3805a3ac50ac2c1f382ad027e50f12d1f74cdfde73b7fb33d55f37df668333c2 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off0001addf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1ADDF | 35899 bytes |
SHA-256: 458ca6836d23270168e482a1b29ae26645dbf9187df7832191e4d9e0ef759fdf |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00031ecf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x31ECF | 35899 bytes |
SHA-256: 3780d845e6fcdf8816b55ec551d42ceffc421e70fc3dbba6f00586fa085e1db3 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off00048fbf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x48FBF | 35899 bytes |
SHA-256: d85da6c2d2564000ab94b4d9751e3bed2d3aeac235f033ae1e5899f4a4648d24 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off000600af.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x600AF | 35899 bytes |
SHA-256: befa7fe174ed44da7c2d21f1984e7779a5da8a97e0aa25ed072fa1de6b305c67 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00077fa3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x77FA3 | 35899 bytes |
SHA-256: 2efb5a60fe35f9713c4abee08ba8690fb45de41e418e3d3d594ca758c385fba5 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0008f0b3.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8F0B3 | 35899 bytes |
SHA-256: c9fbc2084bab49f8db3bcdfd813f498b87e85b88d4b6a0b07bd7c701e5a8aa84 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off000a61c5.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA61C5 | 35899 bytes |
SHA-256: 91e8c1e56a7d45a32bb3d537c5bd5ae097464200c1a9a5af141181bc7b904f6e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000bd2d7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBD2D7 | 35899 bytes |
SHA-256: cb54e991700ba3344de131e8f63009c31d931d16ab97ade42a4e2f73bb59916e |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000d43e9.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xD43E9 | 35899 bytes |
SHA-256: 063bc407509af3ac7c4f0e1e35779861f70e0526d4bb4f7273f210616061e803 |
|||
|
Detection
ClamAV:
Xls.Malware.Generic-6834349-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.