Xls.Downloader.Sload-6834530-0 RTF malware analysis — malicious · 8a0074c65be2b9dc

MALICIOUS

RTF

6.71 MB Created: 2019-01-27 18:13:00 First seen: 2019-05-31

MD5: 24d0778f7d21858869750ef346ab5250 SHA-1: f0a80f176c60b122839df8b7e78bf620c5531b18 SHA-256: 8a0074c65be2b9dc5c1bf1fb7214eb72da9486d8c07fd88c38c58a87ba0702f6

322 Risk Score

Malware Insights

Xls.Downloader.Sload-6834530-0 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects and excessive hex-encoded data, strongly indicating a hidden payload. The critical CVE-2017-8759 heuristic confirms exploitation of a known vulnerability for OLE activation. ClamAV detection as 'Xls.Downloader.Sload-6834530-0' further supports its malicious nature as a downloader. The embedded objects are likely used to fetch and execute a second-stage malicious file.

Heuristics 9

CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED

RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
ClamAV: Xls.Downloader.Sload-6834530-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Sload-6834530-0
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~6985KB of hex-encoded data inside \objdata sections — may hide a payload
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 5 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002ae8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2AE8	47150 bytes
SHA-256: `d9c2b86e55ea59adef99065580fb1626451e68933a8eea8316153ab70019565d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_01_off0001f67d.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1F67D	47150 bytes
SHA-256: `0b94c0e5f49867dba191ef4a9b92d9aba1a88941ac6b9fe8474bf074cbe463e1`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_02_off0003c214.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x3C214	47150 bytes
SHA-256: `aeb8b1a03478d0dfec4810cf0e114c77f3a46522a77fe1b9f6e5861fab92d8ae`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_03_off00058dab.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x58DAB	47150 bytes
SHA-256: `30c68074bd6d028248181152105a84b68f03b2ddf068a9e967a4df413a2b216d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`objdata_04_off00075942.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x75942	47150 bytes
SHA-256: `aa042a95688114d74b80ef1dd4bcda86c02b55f63bc6f1e410b4f01ee12aaea2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.