MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The RTF file contains an embedded OLE object that is configured to update upon opening, a known technique for exploiting vulnerabilities like CVE-2017-0199. The document body explicitly instructs the user to 'Enable Editing', which is a common lure to bypass security measures and trigger the exploit. ClamAV detection confirms the presence of a known exploit.
Heuristics 6
-
ClamAV: Rtf.Exploit.CVE_2017_0199-6331394-6 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Exploit.CVE_2017_0199-6331394-6
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 1 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000002e1.bin86a2177391abbc80c0be3dfdf8698db22d7feb02f2b91a50f04854a3154f6c70 |
rtf-objdata-decoded | RTF \objdata at offset 0x2E1 | 2593 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.