MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple heuristics indicating malicious intent, including a critical alert for CVE-2017-8759, which is an exploit for MSXML SAX OLE activation. The presence of large, hex-encoded data within OLE objects and composite moniker-related findings further suggest the embedding of a malicious payload. The file's structure and the specific CVE exploited point towards an attempt to execute arbitrary code upon opening.
Heuristics 8
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x06 bytes found
Disassembly
Attempted x86 opcode disassembly0017AB4F 06 push es 0017AB50 06 push es 0017AB51 06 push es 0017AB52 06 push es 0017AB53 06 push es 0017AB54 06 push es 0017AB55 06 push es 0017AB56 06 push es 0017AB57 06 push es 0017AB58 06 push es 0017AB59 06 push es 0017AB5A 06 push es 0017AB5B 06 push es 0017AB5C 06 push es 0017AB5D 06 push es 0017AB5E 06 push es 0017AB5F 06 push es 0017AB60 06 push es 0017AB61 06 push es 0017AB62 06 push es 0017AB63 06 push es 0017AB64 06 push es 0017AB65 06 push es 0017AB66 06 push es 0017AB67 06 push es 0017AB68 06 push es 0017AB69 06 push es 0017AB6A 06 push es 0017AB6B 06 push es 0017AB6C 06 push es 0017AB6D 06 push es 0017AB6E 06 push es 0017AB6F 06 push es 0017AB70 06 push es 0017AB71 06 push es 0017AB72 06 push es 0017AB73 06 push es 0017AB74 06 push es 0017AB75 06 push es 0017AB76 06 push es 0017AB77 06 push es 0017AB78 06 push es 0017AB79 06 push es 0017AB7A 06 push es 0017AB7B 06 push es 0017AB7C 06 push es 0017AB7D 06 push es 0017AB7E 06 push es 0017AB7F 06 push es 0017AB80 06 push es 0017AB81 06 push es 0017AB82 06 push es 0017AB83 06 push es 0017AB84 06 push es 0017AB85 06 push es 0017AB86 06 push es 0017AB87 06 push es 0017AB88 06 push es 0017AB89 06 push es 0017AB8A 06 push es 0017AB8B 06 push es 0017AB8C 06 push es 0017AB8D 06 push es 0017AB8E 06 push es 0017AB8F 06 push es 0017AB90 06 push es 0017AB91 06 push es 0017AB92 06 push es 0017AB93 06 push es 0017AB94 06 push es 0017AB95 06 push es 0017AB96 06 push es 0017AB97 06 push es 0017AB98 06 push es 0017AB99 06 push es 0017AB9A 06 push es 0017AB9B 06 push es 0017AB9C 06 push es 0017AB9D 06 push es 0017AB9E 06 push es 0017AB9F 06 push es 0017ABA0 06 push es 0017ABA1 06 push es 0017ABA2 06 push es 0017ABA3 06 push es 0017ABA4 06 push es 0017ABA5 06 push es 0017ABA6 06 push es 0017ABA7 06 push es 0017ABA8 06 push es 0017ABA9 06 push es 0017ABAA 06 push es 0017ABAB 06 push es 0017ABAC 06 push es 0017ABAD 06 push es 0017ABAE 06 push es
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~1138KB of hex-encoded data inside \objdata sections — may hide a payload
-
OLE object data medium RTF_OBJDATARTF contains 6 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
- http://teamspace.pg.com/sites/s2c/global/method/Shared%20Documents/Methodology%20Templates/Flow%20Charts%20Sample%20(structured%20way).docIn RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4C1E1B19AF1652A2E10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&}{In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4C1E1B19AF1652A2E10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4BDA9A631E853F03E10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4C6C6F4C363725CCE10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&}{In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4C6C6F4C363725CCE10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4D5ACE213E3533A8E10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&}{In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4D5ACE213E3533A8E10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4D66494A1D905C9BE10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&}{In RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4D66494A1D905C9BE10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&In RTF body
- http://schemas.microsoft.com/office/2006/metadata/contentTypeIn RTF body
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn RTF body
- http://schemas.microsoft.com/office/2006/metadata/propertiesIn RTF body
- http://www.w3.org/2001/XMLSchemaIn RTF body
- http://schemas.microsoft.com/office/2006/documentManagement/typesIn RTF body
- http://schemas.microsoft.com/office/2006/documenIn RTF body
- http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn RTF body
- http://www.w3.org/2001/XMLSchema-instanceIn RTF body
- http://purl.org/dc/elements/1.1/In RTF body
- http://purl.org/dc/terms/In RTF body
- http://schemas.microsoft.com/office/internal/2005/internalDocumentationIn RTF body
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn RTF body
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn RTF body
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn RTF body
- http://schemas.microsoft.com/office/2006/metadata/longPropertiesIn RTF body
- http://schemas.microsoft.com/sharepoint/v3/contenttype/formsIn RTF body
- http://schemas.openxmlformats.org/drawingml/2006/mainIn RTF body
- http://gtp.na.pg.com:08001/sap/bc/solman/SolmanDocuments/400?_CLASS=SOLARGEN&_LOIO=4CB381FCF45B5FE5E10000009B7DA716&LANGUAGE=EN&RELEASE=620&IWB_INDUSTRY=/KWCUST/&TMP_IWB_TRY_OTHER_LANG=X&TMP_IWB_TRY_OTHER_IND=X&TMP_IWB_TASK=PREVIEW2&In RTF body
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000240ef.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x240EF | 33713 bytes |
SHA-256: 7ca1bec62c6415602221b1c86e878fb63c4224252283cd9bdf25208523b7cdd4 |
|||
objdata_01_off00035b8a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35B8A | 10417 bytes |
SHA-256: 6618df7bef8ec025424765058147744cff2440026b8ce7f9257cccd03ff0ba03 |
|||
objdata_02_off0012cba1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x12CBA1 | 10296 bytes |
SHA-256: 9fe7868b04b3826bd71564573924bc8e75869fccd941730875acd86b58bfd3d3 |
|||
objdata_03_off00316067.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x316067 | 16906 bytes |
SHA-256: 1fa729c68c0efaa7ffb9e9d28226a4a54d8fc053ee7470421db5788942e18287 |
|||
objdata_04_off004051a4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4051A4 | 1024349 bytes |
SHA-256: 406ad7c1283bcd0e3614d8cbc21d83588deb257d7645ded74b58e0b9eebc7b63 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
|
|||
objdata_05_off005fb9c0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5FB9C0 | 22052 bytes |
SHA-256: ffda31414c808d5b2be453190fd7ba2b66bdb3998ddc6b11cfaf8f87ad1e6086 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.