MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. Critical alerts for CVE-2017-8759 and ClamAV detections (Xls.Downloader.Generic-6750544-0) strongly suggest this vulnerability is being exploited. This technique is commonly used to download and execute further malicious content.
Heuristics 5
-
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
-
ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002cc4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2CC4 | 28731 bytes |
SHA-256: dbeffbb5199f958a90f7443705e01231489bb613e17f62aa3e40567b287dfab4 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00016d0a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x16D0A | 28731 bytes |
SHA-256: 7002cb900d43af5d481a0504b6a85cbd99422977dac6d8b9584b5c3eb06d3f52 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off0002ad50.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2AD50 | 28731 bytes |
SHA-256: cacdd05579edbbf9258bb11d14cc544387204eca9bccbe3c3bea4a6fc59ebbdb |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003ed96.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3ED96 | 28731 bytes |
SHA-256: b4b53a3866a09a78e853c5756f8900d053cbcc5aef2df0da445c97941656991a |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off00052ddc.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x52DDC | 28731 bytes |
SHA-256: ecf010a82793f4c8d0634f9f253c4f39a5e550101a36ee26562c53542c6334cf |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00066e22.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x66E22 | 28731 bytes |
SHA-256: b235c8775456b2eb7cd614a105f8f65cba4cf8d39efa3e392787af6447fc7116 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0007ae68.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7AE68 | 28731 bytes |
SHA-256: eccf648f75f53c15840b00b6e33c5eb8352627340056391f464b253f8815db91 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0008eeae.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8EEAE | 28731 bytes |
SHA-256: f404bf2c317796738bb21be5ee89996b92af8aac7438e0920aa903cd519d5265 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off000a2ef4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xA2EF4 | 28731 bytes |
SHA-256: c59b599ba2d6f15ff1573532ce18e2aac816265335b01cef3b16735c23df1417 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off000b6f3a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xB6F3A | 28731 bytes |
SHA-256: 5f3fd1d65cd6d4cbc2876dcf9a3e548637500f67c06c4c731a36aadbd339aa30 |
|||
|
Detection
ClamAV:
Xls.Downloader.Generic-6750544-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.