MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects and triggers an OLE activation via \objupdate, which is a strong indicator of exploitation. The critical heuristic firing for CVE-2017-8759 confirms the exploitation of this specific vulnerability to achieve code execution. The embedded benign URL is not considered a malicious IOC.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002c43.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2C43 | 26683 bytes |
SHA-256: 636a83e2c6dd5695e3d9be454c647aa580927986c45dbb1f8983c203932eb507 |
|||
objdata_01_off00015c64.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x15C64 | 26683 bytes |
SHA-256: 70e512ba1eb083994b11107efb06dabbfeae8349ee4e245c08c133ee30d1bc9d |
|||
objdata_02_off00028c85.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x28C85 | 26683 bytes |
SHA-256: eda6d64e81a299b85787312473c510e108cc62056d570adf33c734ac9b8c034e |
|||
objdata_03_off0003bca6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BCA6 | 26683 bytes |
SHA-256: 7782f3a4d49e763332adc9958c6a79e94a8d9f897ea0ae16c91090d7147ad102 |
|||
objdata_04_off0004ecc7.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4ECC7 | 26683 bytes |
SHA-256: eae7718f41ec2dcc7ce131bbbb063fc92e28e84729906455abf22ef12e1f8811 |
|||
objdata_05_off00061d32.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x61D32 | 26683 bytes |
SHA-256: 3749836aaf29e32c919d882b41954f2bfaabd92d483747bd98f6b5231bfc4174 |
|||
objdata_06_off00074d53.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x74D53 | 26683 bytes |
SHA-256: cc18ae36cb440b7da3d51702e01f25bd1d6fc64cb3c491c40f180c39b5a1f335 |
|||
objdata_07_off00087d74.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x87D74 | 26683 bytes |
SHA-256: c490b7b9ba9ab2061aef4e881524745584266f826daee19ff3adac94cb2f1826 |
|||
objdata_08_off0009ad95.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9AD95 | 26683 bytes |
SHA-256: 3416170b837c438f1dcff39d2cd19708809c06adeb4e4b5f5e47615aaa8498b6 |
|||
objdata_09_off000addb6.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xADDB6 | 26683 bytes |
SHA-256: b651e6c6b25e2740ca2522258163841ccc66ed3dbec9dd940d25031ec5c38db2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.