MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF document contains multiple embedded OLE objects and triggers the CVE-2017-8759 exploit, which is known for allowing arbitrary code execution. This exploit is typically delivered via spearphishing attachments, suggesting a malicious intent to compromise the user's system.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000035b0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x35B0 | 19505 bytes |
SHA-256: 49dfad1fc4b46d3404a3985c5573bc5279d7fcf01ce6e9d9dc4863366ba8bc03 |
|||
objdata_01_off0000eacc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xEACC | 19505 bytes |
SHA-256: 885a9854e2f53beb0216dd900c9bb4c0a72a3869d0cbe65aa7c6db998023d506 |
|||
objdata_02_off00019fe8.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x19FE8 | 19505 bytes |
SHA-256: aae46a98f0ef548e26d446d6fcff66a1020cc165febb962d9c5b21a343e21833 |
|||
objdata_03_off00025504.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x25504 | 19505 bytes |
SHA-256: 3f8f773277e8491ffab3f00396031be4e76c5df4dbede7c948735af68aa37694 |
|||
objdata_04_off00030a20.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x30A20 | 19505 bytes |
SHA-256: ab4374c8baecb81049d3bd132822a1d4e5ad66455a79ed96230320e94041743e |
|||
objdata_05_off0003bf5b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3BF5B | 19505 bytes |
SHA-256: fb0a0dc213084bbce61b8c8388887153305bc4afc5aa231a29c774375610bf83 |
|||
objdata_06_off00047477.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x47477 | 19505 bytes |
SHA-256: d2e7d13e40264604b168ff9049630a673db0dc3ef036e8fb232251f183591413 |
|||
objdata_07_off00052993.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52993 | 19505 bytes |
SHA-256: a4b9044ea03203c8ec2fe434fa2f88ca523e5007daaf927f1f26006a1a2f8c36 |
|||
objdata_08_off0005deaf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x5DEAF | 19505 bytes |
SHA-256: 5d0c3f0dd6c61485164646306e5fee1001adc6cc839e2c6e23c9c15c6f7ef61c |
|||
objdata_09_off000693cb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x693CB | 19505 bytes |
SHA-256: 9ffd8599f0e0fabe07da2f027de7ccfa0678d64df0b102b9c23a7f676830f421 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.