Xls.Downloader.Generic-6750544-0 — RTF malware analysis

Static analysis result for SHA-256 86679719a7fbf722…

MALICIOUS

RTF

841.5 KB Created: 2018-03-12 22:04:00 First seen: 2018-03-30
MD5: 8769c8e156b689fb0750a9747df11f4e SHA-1: 0c79c213a3ae7adf31bfdb12ac929b37cc966fd3 SHA-256: 86679719a7fbf7227aabdceec552527ca7d8048355dd02d35984366bb73efdcf
260 Risk Score

Malware Insights

Xls.Downloader.Generic-6750544-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, with heuristics indicating that \objupdate forces OLE activation. Critical alerts for CVE-2017-8759 and ClamAV detections (Xls.Downloader.Generic-6750544-0) strongly suggest this vulnerability is being exploited. This technique is commonly used to download and execute further malicious content.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Xls.Downloader.Generic-6750544-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Generic-6750544-0
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 10 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00002cc4.bin rtf-objdata-decoded RTF \objdata at offset 0x2CC4 28731 bytes
SHA-256: dbeffbb5199f958a90f7443705e01231489bb613e17f62aa3e40567b287dfab4
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_01_off00016d0a.bin rtf-objdata-decoded RTF \objdata at offset 0x16D0A 28731 bytes
SHA-256: 7002cb900d43af5d481a0504b6a85cbd99422977dac6d8b9584b5c3eb06d3f52
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_02_off0002ad50.bin rtf-objdata-decoded RTF \objdata at offset 0x2AD50 28731 bytes
SHA-256: cacdd05579edbbf9258bb11d14cc544387204eca9bccbe3c3bea4a6fc59ebbdb
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_03_off0003ed96.bin rtf-objdata-decoded RTF \objdata at offset 0x3ED96 28731 bytes
SHA-256: b4b53a3866a09a78e853c5756f8900d053cbcc5aef2df0da445c97941656991a
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_04_off00052ddc.bin rtf-objdata-decoded RTF \objdata at offset 0x52DDC 28731 bytes
SHA-256: ecf010a82793f4c8d0634f9f253c4f39a5e550101a36ee26562c53542c6334cf
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_05_off00066e22.bin rtf-objdata-decoded RTF \objdata at offset 0x66E22 28731 bytes
SHA-256: b235c8775456b2eb7cd614a105f8f65cba4cf8d39efa3e392787af6447fc7116
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_06_off0007ae68.bin rtf-objdata-decoded RTF \objdata at offset 0x7AE68 28731 bytes
SHA-256: eccf648f75f53c15840b00b6e33c5eb8352627340056391f464b253f8815db91
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_07_off0008eeae.bin rtf-objdata-decoded RTF \objdata at offset 0x8EEAE 28731 bytes
SHA-256: f404bf2c317796738bb21be5ee89996b92af8aac7438e0920aa903cd519d5265
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_08_off000a2ef4.bin rtf-objdata-decoded RTF \objdata at offset 0xA2EF4 28731 bytes
SHA-256: c59b599ba2d6f15ff1573532ce18e2aac816265335b01cef3b16735c23df1417
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely
objdata_09_off000b6f3a.bin rtf-objdata-decoded RTF \objdata at offset 0xB6F3A 28731 bytes
SHA-256: 5f3fd1d65cd6d4cbc2876dcf9a3e548637500f67c06c4c731a36aadbd339aa30
Detection
ClamAV: Xls.Downloader.Generic-6750544-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.